Play interactive tour

Edit tour

Analysis Report sfk_setup.exe

Overview

General Information

Sample Name:	sfk_setup.exe
Analysis ID:	338143
MD5:	945d981860358a2da40321783865f6da
SHA1:	df551d918354421e60b458cbd7a9032080835bc9
SHA256:	407ae7a2edaae00d7e109b746153310fcfed60104687bde65b90b9a46c85f655
Most interesting Screenshot:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Creates an undocumented autostart registry key

Uses regedit.exe to modify the Windows registry

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

sfk_setup.exe (PID: 6736 cmdline: 'C:\Users\user\Desktop\sfk_setup.exe' MD5: 945D981860358A2DA40321783865F6DA)

sfk_setup.tmp (PID: 6772 cmdline: 'C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp' /SL5='$2A0068,23551647,152064,C:\Users\user\Desktop\sfk_setup.exe' MD5: E40F7EB5C693C2D90A28CBA04D85D286)

regedit.exe (PID: 6364 cmdline: 'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1' MD5: 617538C965AC4DDC72F9CF647C4343D5)

iexplore.exe (PID: 1844 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4848 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1844 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

spkl.exe (PID: 6448 cmdline: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe MD5: B3660FFBFB44E9C85287E9BF41126C41)

spmm.exe (PID: 5340 cmdline: 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1' MD5: E0C9D91F9EBD2F3974B42B4DDFC1F6DC)

sime64.exe (PID: 6400 cmdline: 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64 MD5: 66D5C7CA9D59F4F6F51907CBC2C9A5E7)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6T4M6.tmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-98PHS.tmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000015.00000003.353294835.0000000003670000.00000004.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000011.00000002.613741986.0000000000401000.00000040.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000011.00000003.316681311.0000000004810000.00000004.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.spmm.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
17.2.spkl.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: sfk_setup.exe	Virustotal: Detection: 28%			Perma Link
Source: sfk_setup.exe	ReversingLabs: Detection: 25%

Source: 21.2.spmm.exe.400000.0.unpack

Avira: Label: TR/ATRAPS.Gen

Source: sfk_setup.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: sfk_setup.exe

Static PE information: certificate valid

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown

HTTPS traffic detected: 54.39.133.136:443 -> 192.168.2.3:49748 version: TLS 1.2

Source: sfk_setup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\libeay32.pdb source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp
Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\libeay32.pdbpS source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp
Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\ssleay32.pdb source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	0_2_00405BEC
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004AD294 FindFirstFileW,GetLastError,	1_2_004AD294
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	1_2_00408174
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004FDF38 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	1_2_004FDF38
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_004099DC FindFirstFileW,	21_2_004099DC
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_0041491C FindFirstFileW,	21_2_0041491C
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_00409474 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	21_2_00409474
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00412380 FindFirstFileW,FindClose,	22_2_00412380
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00CC18B0 FindFirstFileW,FindClose,	22_2_00CC18B0

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic

HTTP traffic detected: GET /spyrix-products.php?from=sfk_install HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.spyrix.comConnection: Keep-Alive

Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: SearchID="http://www.myspace.com/search/" equals www.myspace.com (Myspace)
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: msgID="http://www.myspace.com/my/mail" equals www.myspace.com (Myspace)

Source: unknown

DNS traffic detected: queries for: www.spyrix.com

Source: sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://css-tricks.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://jqueryfordesigners.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	String found in binary or memory: http://lame.sf.net
Source: sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	String found in binary or memory: http://lame.sf.netD
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://opensource.org/licenses/afl-3.0.php
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://pixelgraphics.us/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?search
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0definenameincludegrammarcombinechoiceDefines
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mi
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.325756750.0000000006EFA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mic
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.micr
Source: sfk_setup.tmp, 00000001.00000003.325756750.0000000006EFA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsof
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: spkl.exe	String found in binary or memory: http://spyrix.com/manual.php
Source: spkl.exe	String found in binary or memory: http://spyrix.net/promo/dashboard/index.shtml?
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://user.qzone.qq.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://vk.com/search
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/buynow.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html#registrate
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: sfk_setup.exe, 00000000.00000003.209952617.0000000002480000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp, spkl.exe, spmm.exe	String found in binary or memory: http://www.indyproject.org/
Source: sfk_setup.exe, 00000000.00000003.210213490.00000000025C0000.00000004.00000001.sdmp, sfk_setup.tmp, sfk_setup.tmp, 00000001.00000000.211570445.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: sfk_setup.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: sfk_setup.exe, 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.magentocommerce.com
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.magentocommerce.com)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.myspace.com/my/mail
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.myspace.com/search/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.ok.ru/dk?st.cmd=searchResult
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: sfk_setup.exe, 00000000.00000003.210213490.00000000025C0000.00000004.00000001.sdmp, sfk_setup.tmp	String found in binary or memory: http://www.remobjects.com/ps
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.339705822.000000000230A000.00000004.00000001.sdmp, spkl.exe	String found in binary or memory: http://www.spyrix.com
Source: sfk_setup.exe, 00000000.00000003.348789313.000000000231A000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/manual.php#registrate
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/pro_upgrade.htm?lic=
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.325756750.0000000006EFA000.00000004.00000001.sdmp, spkl.exe	String found in binary or memory: http://www.spyrix.com/purchase.php
Source: sfk_setup.tmp, 00000001.00000003.339821308.00000000008DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/spyrix-products.php?from=sfk_install
Source: sfk_setup.tmp, 00000001.00000003.339821308.00000000008DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/spyrix-products.php?from=sfk_install#
Source: sfk_setup.tmp, 00000001.00000003.339821308.00000000008DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/spyrix-products.php?from=sfk_installb
Source: sfk_setup.tmp, 00000001.00000003.339105902.0000000005130000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/spyrix-products.php?from=sfk_installh
Source: sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/terms-of-use.php)
Source: spkl.exe	String found in binary or memory: http://www.spyrix.net/ibann
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.twolame.org
Source: sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.twolame.orgMPEG-2
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp	String found in binary or memory: http://x265.org
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: spkl.exe	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: spkl.exe	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload?
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/commit_chunked_upload
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/files/dropbox
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/files/sandbox
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/files_put
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/files_put?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/account/info
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/account/info?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/delta
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/delta?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/copy
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/copy?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/delete
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/delete?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/move
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/move?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/metadata/dropbox
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/metadata/sandbox
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/shares/dropbox
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/shares/sandbox
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp, spkl.exe	String found in binary or memory: https://dashboard.spyrix.com
Source: spkl.exe	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program?email=
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: https://download.spyrix.com/spm.html
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: https://spyrix.net
Source: spkl.exe	String found in binary or memory: https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php
Source: spkl.exe	String found in binary or memory: https://spyrix.net/dashboard/api/subscription/status?
Source: spkl.exe	String found in binary or memory: https://spyrix.net/usr/monitor/
Source: sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp, spkl.exe	String found in binary or memory: https://spyrix.net/usr/monitor/access.txt
Source: spkl.exe	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.php
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: https://store.mspy.com/affiliate.php?ACCOUNT=BITEXGRO&AFFILIATE=40815&PATH=http%3A%2F%2Fwww.mspy.com
Source: spkl.exe	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/drive
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.prof
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/about
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files?maxResults=1000&q=
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Source: unknown

HTTPS traffic detected: 54.39.133.136:443 -> 192.168.2.3:49748 version: TLS 1.2

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

Code function: 21_2_0040C946 OpenClipboard,

21_2_0040C946

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

Code function: 21_2_0040C6EE GetClipboardData,

21_2_0040C6EE

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_00434448 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

1_2_00434448

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_0045C584 GetKeyboardState,

1_2_0045C584

Source: sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

System Summary:

Uses regedit.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1'

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

Code function: 21_2_0040C5D6 NtdllDefWindowProc_W,

21_2_0040C5D6

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004808CC: CreateFileW,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_004808CC

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_0040E538
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004B00AC

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File created: C:\Windows\runkey.exe

Jump to behavior

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0041201D	0_2_0041201D
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00402260	0_2_00402260
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040D33C	0_2_0040D33C
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0041259C	0_2_0041259C
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00411F58	0_2_00411F58
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004E2284	1_2_004E2284
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004E2D99	1_2_004E2D99
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004736F8	1_2_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004AC17C	1_2_004AC17C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0049E118	1_2_0049E118
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004EA1FC	1_2_004EA1FC
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00402474	1_2_00402474
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0044A72C	1_2_0044A72C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004FCA0C	1_2_004FCA0C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00488C40	1_2_00488C40
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004BB20C	1_2_004BB20C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004EB2B0	1_2_004EB2B0
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004535D0	1_2_004535D0
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004077F8	1_2_004077F8
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00481C84	1_2_00481C84
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700A64	21_3_02700A64
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700A05	21_3_02700A05
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700AF4	21_3_02700AF4
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700ADF	21_3_02700ADF
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700AC2	21_3_02700AC2
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700ACF	21_3_02700ACF
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700AB6	21_3_02700AB6
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700A91	21_3_02700A91
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700A9A	21_3_02700A9A
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B62	21_3_02700B62
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B43	21_3_02700B43
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B4A	21_3_02700B4A
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B31	21_3_02700B31
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B3E	21_3_02700B3E
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B28	21_3_02700B28
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B0B	21_3_02700B0B
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BEE	21_3_02700BEE
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BD0	21_3_02700BD0
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BC4	21_3_02700BC4
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BCB	21_3_02700BCB
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BA4	21_3_02700BA4
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B95	21_3_02700B95
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700C57	21_3_02700C57
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700C39	21_3_02700C39
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700C2E	21_3_02700C2E
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700CF3	21_3_02700CF3
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700CDA	21_3_02700CDA
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700C8B	21_3_02700C8B
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D6C	21_3_02700D6C
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D51	21_3_02700D51
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D42	21_3_02700D42
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D11	21_3_02700D11
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D00	21_3_02700D00
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_027009FB	21_3_027009FB
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_027009E7	21_3_027009E7
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_027009EE	21_3_027009EE
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_027009CA	21_3_027009CA
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700DCF	21_3_02700DCF
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700DB6	21_3_02700DB6
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D9A	21_3_02700D9A
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_004082DC	21_2_004082DC
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_004036DC	21_2_004036DC
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00411E10	22_2_00411E10
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00430D90	22_2_00430D90
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_0068A700	22_2_0068A700
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00CC1340	22_2_00CC1340
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00CB40A8	22_2_00CB40A8

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 004ADAE0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 00487C88 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 00409620 appears 151 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 0049EE30 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 004B2E4C appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 00406914 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 0049EB4C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 0040C24C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 004B2BC8 appears 49 times
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: String function: 00404C88 appears 36 times

Source: sfk_setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: sfk_setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-I5RK2.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-I5RK2.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: sfk_setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfk_setup.tmp.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: sfk_setup.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-I5RK2.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-I5RK2.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: sfk_setup.exe, 00000000.00000003.210347510.00000000026DE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs sfk_setup.exe
Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs sfk_setup.exe
Source: sfk_setup.exe, 00000000.00000002.349205642.0000000000A20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs sfk_setup.exe

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Section loaded: ime32.dll			Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Section loaded: ime64.dll

Source: sfk_setup.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6T4M6.tmp, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-98PHS.tmp, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: classification engine

Classification label: mal42.evad.winEXE@15/478@2/1

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004328A4 GetLastError,FormatMessageW,

1_2_004328A4

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_0040E538
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004B00AC

Source: C:\Users\user\Desktop\sfk_setup.exe

Code function: 0_2_0040805C GetDiskFreeSpaceW,

0_2_0040805C

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004CC238 GetVersion,CoCreateInstance,

1_2_004CC238

Source: C:\Users\user\Desktop\sfk_setup.exe

Code function: 0_2_0040EE14 FindResourceW,SizeofResource,LoadResource,LockResource,

0_2_0040EE14

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\sfk_setup.exe

File created: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp

Jump to behavior

Source: Yara match	File source: 00000015.00000003.353294835.0000000003670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.613741986.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.316681311.0000000004810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp, type: DROPPED
Source: Yara match	File source: 21.2.spmm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.spkl.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\sfk_setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="spmm.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="ff.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="spm.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="skl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="sem.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="clv.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="akl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="sps.exe"
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sfk_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: sfk_setup.exe	Virustotal: Detection: 28%
Source: sfk_setup.exe	ReversingLabs: Detection: 25%

Source: sfk_setup.exe	String found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co
Source: spkl.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spkl.exe	String found in binary or memory: NATS-DANO-ADD
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-hand-add
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spkl.exe	String found in binary or memory: ISO_6937-2-add
Source: spmm.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spmm.exe	String found in binary or memory: NATS-DANO-ADD
Source: spmm.exe	String found in binary or memory: jp-ocr-b-add
Source: spmm.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spmm.exe	String found in binary or memory: jp-ocr-hand-add
Source: spmm.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spmm.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\sfk_setup.exe

File read: C:\Users\user\Desktop\sfk_setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sfk_setup.exe 'C:\Users\user\Desktop\sfk_setup.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp 'C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp' /SL5='$2A0068,23551647,152064,C:\Users\user\Desktop\sfk_setup.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install
Source: unknown	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1844 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1'
Source: unknown	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64
Source: C:\Users\user\Desktop\sfk_setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp 'C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp' /SL5='$2A0068,23551647,152064,C:\Users\user\Desktop\sfk_setup.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1844 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1'	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File written: C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: sfk_setup.exe

Static PE information: certificate valid

Source: sfk_setup.exe

Static file information: File size 24086096 > 1048576

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: sfk_setup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\libeay32.pdb source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp
Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\libeay32.pdbpS source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp
Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\ssleay32.pdb source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004A1A3C LoadLibraryExW,LoadLibraryW,GetProcAddress,

1_2_004A1A3C

Source: sfk_setup.exe	Static PE information: real checksum: 0x1704537 should be:
Source: sfk_setup.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x12e541
Source: is-I5RK2.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x138953
Source: _iscrypt.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x89d2

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040D034 push ecx; mov dword ptr [esp], eax	0_2_0040D039
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040E0D0 push 0040E118h; ret	0_2_0040E110
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_004100D8 push 00410140h; ret	0_2_00410138
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00406944 push 00406986h; ret	0_2_0040697E
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040B104 push 0040B2B0h; ret	0_2_0040B2A8
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00406A50 push 00406A88h; ret	0_2_00406A80
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040E250 push 0040E27Ch; ret	0_2_0040E274
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00406A92 push 00406AC0h; ret	0_2_00406AB8
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00406A94 push 00406AC0h; ret	0_2_00406AB8
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_004064A6 push 0040650Dh; ret	0_2_00406505
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_004064A8 push 0040650Dh; ret	0_2_00406505
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_004034A8 push eax; ret	0_2_004034E4
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0041157C push 004115FAh; ret	0_2_004115F2
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040DD38 push 0040DD7Bh; ret	0_2_0040DD73
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00411618 push 00411645h; ret	0_2_0041163D
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004FA044 push ecx; mov dword ptr [esp], ecx	1_2_004FA049
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0046E0B0 push ecx; mov dword ptr [esp], edx	1_2_0046E0B4
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00482158 push 0048219Bh; ret	1_2_00482193
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004AC17C push ecx; mov dword ptr [esp], eax	1_2_004AC181
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0044C1F4 push 0044C220h; ret	1_2_0044C218
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0042E1B4 push 0042E1E0h; ret	1_2_0042E1D8
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0047E234 push 0047E28Eh; ret	1_2_0047E286
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0045C2C4 push ecx; mov dword ptr [esp], ecx	1_2_0045C2C8
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0040A2C4 push 0040A306h; ret	1_2_0040A2FE
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004542FC push 00454367h; ret	1_2_0045435F
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0049C374 push ecx; mov dword ptr [esp], ecx	1_2_0049C378
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0040A3D0 push 0040A408h; ret	1_2_0040A400
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0046E404 push ecx; mov dword ptr [esp], edx	1_2_0046E408
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0040A414 push 0040A440h; ret	1_2_0040A438
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004204B0 push 004204FDh; ret	1_2_004204F5
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00438544 push 00438570h; ret	1_2_00438568

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\Windows\runkey.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EUIQT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9A0F1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-5A3UD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-K3O8Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9A0F1.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-I5RK2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-D44HS.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\sfk_setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6ADBO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CIA22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-SKKKO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-AFJU2.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EUIQT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-5A3UD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-K3O8Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-I5RK2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-D44HS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6ADBO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CIA22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-SKKKO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-AFJU2.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File created: C:\Windows\runkey.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger\Spyrix Free Keylogger.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger\Uninstall Spyrix Free Keylogger.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00470AAC GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	1_2_00470AAC
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004736F8 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,	1_2_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004629EC IsIconic,GetCapture,	1_2_004629EC
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00470A2C IsIconic,	1_2_00470A2C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00481238 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,	1_2_00481238
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0046335C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_0046335C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0042DBCC MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	1_2_0042DBCC
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00463DC8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient,	1_2_00463DC8
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_0040C8A6 IsIconic,	21_2_0040C8A6
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00677000 IsIconic,	22_2_00677000
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_006770F0 GetWindowLongPtrW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongPtrW,SetWindowLongPtrW,ShowWindow,ShowWindow,	22_2_006770F0

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\sfk_setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

1_2_0047A500

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Window / User API: foregroundWindowGot 499			Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Window / User API: foregroundWindowGot 1164			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\Windows\runkey.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EUIQT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9A0F1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-5A3UD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-K3O8Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-I5RK2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-D44HS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CIA22.tmp	Jump to dropped file

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe

Evasive API call chain: RegQueryValue,DecisionNodes,Sleep

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

API coverage: 4.2 %

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	0_2_00405BEC
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004AD294 FindFirstFileW,GetLastError,	1_2_004AD294
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	1_2_00408174
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004FDF38 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	1_2_004FDF38
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_004099DC FindFirstFileW,	21_2_004099DC
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_0041491C FindFirstFileW,	21_2_0041491C
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_00409474 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	21_2_00409474
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00412380 FindFirstFileW,FindClose,	22_2_00412380
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00CC18B0 FindFirstFileW,FindClose,	22_2_00CC18B0

Source: C:\Users\user\Desktop\sfk_setup.exe

Code function: 0_2_00406458 GetSystemInfo,

0_2_00406458

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp, sfk_setup.tmp, 00000001.00000002.343818747.0000000002800000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp, sfk_setup.tmp, 00000001.00000002.343818747.0000000002800000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp, sfk_setup.tmp, 00000001.00000002.343818747.0000000002800000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: sfk_setup.tmp, 00000001.00000003.315724782.0000000005900000.00000004.00000001.sdmp	Binary or memory string: @@IdPORT_vmnet
Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp, sfk_setup.tmp, 00000001.00000002.343818747.0000000002800000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	API call chain: ExitProcess graph end node			graph_21-7238
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004A1A3C LoadLibraryExW,LoadLibraryW,GetProcAddress,

1_2_004A1A3C

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004D8F68 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_004D8F68

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1'	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_00480E38 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

1_2_00480E38

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004B8A78 GetVersion,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,

1_2_004B8A78

Source: sfk_setup.tmp, 00000001.00000003.315724782.0000000005900000.00000004.00000001.sdmp

Binary or memory string: @@DOF_PROGMAN

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,	0_2_00405DE8
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: GetLocaleInfoW,	0_2_0040E640
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: GetLocaleInfoW,	0_2_00408EB4
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: GetLocaleInfoW,	0_2_00408F00
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,	0_2_00405F23
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,	1_2_00408370
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,	1_2_004084AB
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: GetLocaleInfoW,	1_2_004B0DAC
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: GetLocaleInfoW,	1_2_00410FC0
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: GetLocaleInfoW,	1_2_0041100C
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	21_2_00409AC4
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	21_2_0040900C
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: InterlockedCompareExchange,GetLocalTime,GetLocaleInfoW,GetModuleFileNameW,	21_2_0040BED4
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	22_2_00412560
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	22_2_00411580
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	22_2_00CC1A90
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	22_2_00CC0AB0

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004B3678 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,

1_2_004B3678

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004B2868 GetSystemTimeAsFileTime,FileTimeToSystemTime,

1_2_004B2868

Source: C:\Users\user\Desktop\sfk_setup.exe

Code function: 0_2_004110C4 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_004110C4

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	DLL Side-Loading1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information1	Input Capture21	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Registry Run Keys / Startup Folder11	DLL Side-Loading1	Obfuscated Files or Information2	LSASS Memory	File and Directory Discovery4	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Access Token Manipulation1	Software Packing1	Security Account Manager	System Information Discovery47	SMB/Windows Admin Shares	Input Capture21	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection13	DLL Side-Loading1	NTDS	Query Registry1	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder11	Masquerading21	LSA Secrets	Security Software Discovery41	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Modify Registry1	Cached Domain Credentials	Virtualization/Sandbox Evasion3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion3	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection13	/etc/passwd and /etc/shadow	System Owner/User Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sfk_setup.exe	28%	Virustotal		Browse
sfk_setup.exe	25%	ReversingLabs	Win32.PUA.SpyrixKeylogger

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp	0%	Metadefender	Browse
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp	0%	ReversingLabs
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp	0%	Metadefender	Browse
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp	2%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
17.2.spkl.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
21.2.spmm.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Virustotal		Browse
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Virustotal		Browse
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://pixelgraphics.us/	0%	Virustotal		Browse
http://pixelgraphics.us/	0%	Avira URL Cloud	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://www.twolame.orgMPEG-2	0%	Avira URL Cloud	safe
https://spyrix.net/usr/monitor/access.txt	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.actualkeylogger.com/help.html#registrate	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://lame.sf.netD	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.dk-soft.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
spyrix.com	54.39.133.136	true	false		high
www.spyrix.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dashboard.spyrix.com/account/login-from-program?email=	spkl.exe	false		high
http://search.chol.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.dropbox.com/1/fileops/copy	spkl.exe	false		high
http://www.dailymail.co.uk/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.indyproject.org/	sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp, spkl.exe, spmm.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fr.search.yahoo.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://api.dropbox.com/1/fileops/create_folder?	spkl.exe	false		high
http://msk.afisha.ru/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ya.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.hanafos.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.dropbox.com/1/shares/dropbox	spkl.exe	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	sfk_setup.exe	false		high
http://search.msn.co.jp/results.aspx?q=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buscar.ozu.es/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://api-content.dropbox.com/1/files_put	spkl.exe	false		high
http://www.ask.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://pixelgraphics.us/	sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.google.it/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.de/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.twolame.orgMPEG-2	sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sads.myspace.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://spyrix.net/usr/monitor/access.txt	sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp, spkl.exe	false	Avira URL Cloud: safe	unknown
http://www.pchome.com.tw/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.actualkeylogger.com/help.html#registrate	spkl.exe	false	Avira URL Cloud: safe	unknown
http://www.rambler.ru/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gmarket.co.kr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.google.si/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.soso.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://busca.orange.es/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://api.dropbox.com/1/fileops/copy?	spkl.exe	false		high
http://auto.search.msn.com/response.asp?MT=	sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	false		high
http://www.target.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.openssl.org/support/faq.html	sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp	false		high
http://search.orange.co.uk/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.centrum.cz/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://service2.bfast.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ariadna.elmundo.es/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.news.com.au/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://it.search.yahoo.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.ceneo.pl/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.servicios.clarin.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://opensource.org/licenses/afl-3.0.php	sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	false		high
https://api.dropbox.com/1/fileops/move	spkl.exe	false		high
http://search.daum.net/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.kkbox.com.tw/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.goo.ne.jp/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.msn.com/results.aspx?q=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://x265.org	sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp	false		high
http://list.taobao.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.taobao.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ie.search.yahoo.com/os?command=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.cnet.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.linternaute.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.amazon.co.uk/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://lame.sf.netD	sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.asharqalawsat.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.fr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.gismeteo.ru/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.rtl.de/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://api-content.dropbox.com/1/chunked_upload	spkl.exe	false		high
http://www.soso.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.univision.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.ipop.co.kr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.auction.co.kr/auction.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.dk-soft.org/	sfk_setup.exe, 00000000.00000003.209952617.0000000002480000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.orange.fr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://video.globo.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.google.co.uk/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.dropbox.com/1/fileops/move?	spkl.exe	false		high
http://buscador.terra.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search1.taobao.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.aol.co.uk/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.dreamwiz.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.recherche.aol.fr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://vachercher.lycos.fr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.39.133.136	unknown	Canada		16276	OVHFR	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338143
Start date:	11.01.2021
Start time:	17:58:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sfk_setup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal42.evad.winEXE@15/478@2/1
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 53.9% (good quality ratio 49.8%) Quality average: 79.8% Quality standard deviation: 30.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 52.255.188.83, 51.104.144.132, 104.79.90.110, 92.122.213.247, 92.122.213.194, 67.27.159.126, 8.248.139.254, 8.253.204.121, 8.248.135.254, 67.26.73.254, 51.103.5.186, 88.221.62.148, 172.217.23.40, 172.217.23.46, 20.54.26.129, 152.199.19.161, 51.104.139.180, 51.11.168.160, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, www.googletagmanager.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.google-analytics.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, www-google-analytics.l.google.com, ie9comview.vo.msecnd.net, www-googletagmanager.l.google.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target spkl.exe, PID 6448 because there are no executed function Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:59:48	API Interceptor	3x Sleep call for process: spkl.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	hiytvys.dll	Get hash	malicious	Browse	46.105.131.65
	l7rgi3xyd.dll	Get hash	malicious	Browse	46.105.131.65
	ymuyks.dll	Get hash	malicious	Browse	46.105.131.65
	Client.vbs	Get hash	malicious	Browse	92.222.182.237
	INV9698791470-20210111920647.xlsm	Get hash	malicious	Browse	46.105.131.65
	hy9x6wzip.dll	Get hash	malicious	Browse	46.105.131.65
	INV7693947099-20210111388211.xlsm	Get hash	malicious	Browse	46.105.131.65
	jufk0vrar.dll	Get hash	malicious	Browse	46.105.131.65
	Pioneercon Project Contract.exe	Get hash	malicious	Browse	51.195.53.221
	Outstanding Payments.exe	Get hash	malicious	Browse	51.195.53.221
	Quw3X5oAwe.exe	Get hash	malicious	Browse	51.83.208.157
	H56P7iDwnJ.doc	Get hash	malicious	Browse	142.44.230.78
	11998704458248.exe	Get hash	malicious	Browse	54.37.160.157
	Test.HTM	Get hash	malicious	Browse	145.239.131.60
	2143453.exe	Get hash	malicious	Browse	51.83.43.226
	Buran.exe	Get hash	malicious	Browse	158.69.65.151
	https://1drv.ms:443/o/s!BAXL7VqGJe6lg0eKk2MZcT_c29ga?e=Qdftz9F3oESsQIuV76Ppsw&at=9	Get hash	malicious	Browse	87.98.225.159
	http://icapturefilms.com/albino-guppies/paramour-deposition-questions.html	Get hash	malicious	Browse	51.81.73.219
	SKM_C258201001130020005057.exe	Get hash	malicious	Browse	188.165.228.217
	https://lakewooderie.umcchurches.org/verify#Sugar@saccounty.net	Get hash	malicious	Browse	145.239.131.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	e-card.htm .exe	Get hash	malicious	Browse	54.39.133.136
	e-card.jpg .exe	Get hash	malicious	Browse	54.39.133.136
	Payment.exe	Get hash	malicious	Browse	54.39.133.136
	Test.HTM	Get hash	malicious	Browse	54.39.133.136
	mailsearcher32.dll	Get hash	malicious	Browse	54.39.133.136
	mailsearcher64.dll	Get hash	malicious	Browse	54.39.133.136
	Curriculo Laura.xlsm	Get hash	malicious	Browse	54.39.133.136
	prints carlos bolsonaro.docm	Get hash	malicious	Browse	54.39.133.136
	https://friskyferals.info/cgjx	Get hash	malicious	Browse	54.39.133.136
	https://marseral.am/wp-includes/aw?i=i&0=leo.cai@mainfreightasia.com	Get hash	malicious	Browse	54.39.133.136
	https://bit.ly/35cYpiT	Get hash	malicious	Browse	54.39.133.136
	http://mckeepropainting.com/.adv3738diukjuctdyakbd/dhava93vdia11876dkb/ag38vdua3848dk/sajvd9484auad/ajd847vauadja/101kah474sbbadad/wose/Paint20200921_2219.pdf.html	Get hash	malicious	Browse	54.39.133.136
	https://new-fax-messages.mydopweb.com/	Get hash	malicious	Browse	54.39.133.136
	https://survey.alchemer.com/s3/6130663/Check-11-Payment	Get hash	malicious	Browse	54.39.133.136
	https://proudflex.org	Get hash	malicious	Browse	54.39.133.136
	https://www.food4rhino.com/app/human	Get hash	malicious	Browse	54.39.133.136
	https://www.food4rhino.com/app/elefront	Get hash	malicious	Browse	54.39.133.136
	https://smlfinance.com/wp-content/uploads/2021/DHL2021/MARKET/	Get hash	malicious	Browse	54.39.133.136
	https://app.box.com/s/cwvx197f4b14m7rxw8vlqc08jwv0c5og	Get hash	malicious	Browse	54.39.133.136
	https://atacadaodocompensado.com.br/office356.com-RD163	Get hash	malicious	Browse	54.39.133.136

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger\Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 14 06:59:00 2020, length=5197960, window=hide
Category:	dropped
Size (bytes):	1887
Entropy (8bit):	3.411489499234797
Encrypted:	false
SSDEEP:	24:8BoLzWNBzIgQqAU6YQfX8sDVX8w4VX89kW0HYxeZ89ip1mC1mEm:8Ss0g8UPQfM4+w4+9kWz99i1l
MD5:	974D3B0B868CC7629116E8A6AF39F5BF
SHA1:	FA226F84A41E379F9C9F879EEECFF001619CEE90
SHA-256:	F1EC91BE2AE9BF9A42F6029A06E53EF274DBD0C3534A09CF2A622E03028F6F0A
SHA-512:	62535467EC61283587442D9D49722D5732617B1D72931469B024045ACF4DD7451D50CB286AB575B8E4F7214F722494B8D1149D46828713460D71CAFCDB0B3325
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. .....:......Qj........z.....PO..........................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....Z.2..PO..P`? .spkl.exe..B......,Ri.,Ri...../i........................s.p.k.l...e.x.e.......m...............-.......l............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe..>.....\.....\.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.s.p.k.l...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.>.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.m.a.i.n...i.c.o.........%ALLUSERSPROFILE%\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\main.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger\Uninstall Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 12 00:58:53 2021, length=1233133, window=hide
Category:	dropped
Size (bytes):	997
Entropy (8bit):	4.5820731515790305
Encrypted:	false
SSDEEP:	12:8m2ma0cmCgCweOLnZPOSipr8AjAkcS62LlX1OSddEbVX1OS7p56656FGm:8m28BzIvfAkz6YlX8kQVX80pP1m
MD5:	E1CBE0E8DBB808217D729F662686E0C9
SHA1:	EC0B838AA4D79BE3FABA4E3F40D597DC45F0C660
SHA-256:	D26EA177A7972B3D753DE1F7A64BAF7CFEF4AFFD2C4B6719B835D36BF80ACF1E
SHA-512:	94376A3AD2A10C9223B1A1A63A68B18F5951C969864D3F7323C9A1B45529BB671417A05FA83E7096041CF643ACF2E07550B2DC11DF6B4ADA8793DBC6FBC15788
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...........P@8.......z.................................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....f.2.....,R[. .unins000.exe..J......,Ri.,Ri.....>K....................7Ak.u.n.i.n.s.0.0.0...e.x.e.......q...............-.......p............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe..B.....\.....\.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.u.n.i.n.s.0.0.0...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.`.......X.......123716...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\ProgramData\Spyrix Free Keylogger\logs\44207.log Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	78
Entropy (8bit):	5.145737436944543
Encrypted:	false
SSDEEP:	3:SAg3o5MBRXRFKDF8cz+L3I:S2yx2ecz04
MD5:	5C0AA423BD063634A8A3A975186947EC
SHA1:	A2FE59C51005FAB923B25A0267BF7C2E96FCFF7C
SHA-256:	9030C61312FBCD272EB0409381CC0A99F3ABA47B740A983A0942F85266472861
SHA-512:	8834978F22048D2B73FF30FA3C06793D764C6522709205159E7409FC1E0339453DF8E68FB86BB79A5560ADC0886AA7CC83F2D7FF647A5626ADE6C4003ED5C14F
Malicious:	false
Reputation:	low
Preview:	.DAYLY LOG..ACTIVITY;44207.7499280787;;;ID: 51 Start of User Session;user..

C:\ProgramData\Spyrix Free Keylogger\logs\44207.wdb Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3013000
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3586764910583943
Encrypted:	false
SSDEEP:	24:TLiuWsm2vjGIqbLyeEu/2vjGIyLieEu/2vjGINx0b0yEdm0+:TZWx2vjY5Eu/2vjKpEu/2vj1eEdG
MD5:	79891721CD58EDCE83918E85242B7EBE
SHA1:	38BBB341F61A8B7F192C61A583256F65F9EA38C1
SHA-256:	71FCDDAF3BF75D29B4E7C499F5612C47AD101C4229097468CF7C079F9DCD9714
SHA-512:	7547AD79BA932BE8C8C407618994EBA605A9CEF2D86C8851A9778E6CE65930621D3454027ADF95C2C38FF7E8293C05E1FB2689CA86C542DC7EAD498CFEA29F16
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .........................................................................-........A....A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Spyrix Free Keylogger\logs\44207.wdb-journal Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	data
Category:	dropped
Size (bytes):	22092
Entropy (8bit):	0.33990497960485877
Encrypted:	false
SSDEEP:	24:o+t/XqLiuWsm2vjGIOVqLyeEu/2vjGIe+7:oMvqZWx2vj2Vq5Eu/2vjm+7
MD5:	5B87AE7F549B18FD277D05BF25E31141
SHA1:	46AC2071EDA592FD5E53BB87D885D39C737E887B
SHA-256:	A107A38C8CEA3028A75A2F23D815EC491D33F3F7BAF883F44260D89918658601
SHA-512:	578BBB1D8FA3083B278EC17C9D901E6FB1050987D10C793152CDF17432CA3C24EDF66250E55AF66865B749A218FAA15A241896E71B19FA18B01E544F6679FFC1
Malicious:	false
Reputation:	low
Preview:	.............aF..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .c.................0...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Spyrix Free Keylogger\logs\logs.dat Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.562304859797067
Encrypted:	false
SSDEEP:	3:DpRRLCAXeZoYBnWyCCAXeZoQAOZocA/dov:UOYp4CONFcwdy
MD5:	0152BCDEE781FE8C0BA09600A9A9FD8E
SHA1:	CC68708C64B1C86ED93800CF81ADB955C2DE890A
SHA-256:	CB4338125C9B3BEDBA0810B2CDF6B71BF0CA4EEBE85F85CA863D91FD09819FA8
SHA-512:	628B15F65490ABDFCF095EF436093F064CDE586853F17A1148911734ACEB2449D192924F048619C8FCD94D818546E21C8F4224A9E00E8377BDA3B9E826718FF7
Malicious:	false
Reputation:	low
Preview:	[Logs]..FirstLogName=44207.log..AllSize=0..LastLogName=44207.log..CLog=44207.log..CSize=78..

C:\ProgramData\Spyrix Free Keylogger\temp\desktop\Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:24 2021, atime=Tue Jan 14 06:59:00 2020, length=5197960, window=hide
Category:	dropped
Size (bytes):	1875
Entropy (8bit):	3.4076810166556637
Encrypted:	false
SSDEEP:	24:8Bz5zWNBzIgQqAU6YQ5X8sDVX8w4VX89kW0HYxeZ89ip1mC1mEm:8Ds0g8UPQ5M4+w4+9kWz99i1l
MD5:	C8BBDA82FB7179F4369627458DB9C189
SHA1:	34C318DDBC1066F6AD6382BE40F049366E3A839A
SHA-256:	23D5CC51FCF829B7FE58FB01EAEF7205A10DAD519AB0529CA07A99173C1D5AE7
SHA-512:	67DB7638EF70624DEE1C3176353C236FD7C1564C93986731801A9A8927A5F1F1474A4C65D35ADCC2B9072D456018EE0D003B150BFD3C497A06C9FB4D36DF0428
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. .....:................z.....PO..........................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....Z.2..PO..P`? .spkl.exe..B......,Ri.,Ri...../i........................s.p.k.l...e.x.e.......m...............-.......l............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe..8.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.s.p.k.l...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.>.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.m.a.i.n...i.c.o.........%ALLUSERSPROFILE%\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\main.ico.........

C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	8119
Entropy (8bit):	5.199863905442922
Encrypted:	false
SSDEEP:	192:MPTPyPrPjPDPwZYZ4bZ0PQZY727h7WPQZe7W:ML6jbrYZYZ4bZ04ZY727h7W4Ze7W
MD5:	2D16048F01B852447DEA6C86543B0B09
SHA1:	0B45B8A5E97FDC02AA9F5D0B5E8517B0DED91405
SHA-256:	DD080926796A53A62F47D23022ED7046F88A419587D890325C0C0097B498C5F5
SHA-512:	01C7F8A1ABD0632A3EA958C1FC51C7B02C41BA14E1AB5F08DF138B6465732AD68FD0837D05722A2CF85A2BBC6A84499E94308E0330DDFF54F85D2610EF8E112B
Malicious:	false
Reputation:	low
Preview:	tid=-1..lt=..Users=Administrator..Administrator,DefaultAccount..Administrator,DefaultAccount,Guest..Administrator,DefaultAccount,Guest,user..Administrator,DefaultAccount,Guest,user,WDAGUtilityAccount..AllUsers=Administrator,DefaultAccount,Guest,user,WDAGUtilityAccount..Administrator,DefaultAccount,Guest,user,WDAGUtilityAccount[Window]..Top=50..Left=50..Width=1280..Height=620..BottomHeight=170..LeftWidth=315..LeftTop=125..ctNone=48..ctSTime=180..ctAlert=101..ctSearch=141..ctSN=141..ctBlock=141..ctApp=139..ctTitle=132..ctValue=218..KDelay=5..[Window]..Top=50..Left=50..Width=1280..Height=620..BottomHeight=170..LeftWidth=315..LeftTop=125..ctNone=48..ctSTime=180..ctAlert=101..ctSearch=141..ctSN=141..ctBlock=141..ctApp=139..ctTitle=132..ctValue=218..hide=0..[Window]..Top=50..Left=50..Width=1280..Height=620..BottomHeight=170..LeftWidth=315..LeftTop=125..ctNone=48..ctSTime=180..ctAlert=101..ctSearch=141..ctSN=141..ctBlock=141..ctApp=139..ctTitle=132..ctValue=218..hide_p=0..[Window]..Top=50

C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid Download File
Process:	C:\Windows\SysWOW64\regedit.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	3.7762774370604513
Encrypted:	false
SSDEEP:	48:tKleUhKVfcfCokHCSdiiannHMCadjHMCadvdla:Sh0U64ianujuvdla
MD5:	2EBFB7A6AA03446B019416AD63FD43FF
SHA1:	60D5FFB6117C917BDB077595CE7FB795A698DD48
SHA-256:	414D6296B9B5098C422F665D239634E2875DD31D86894DDD15DA02208058D768
SHA-512:	D062B86D8898BD04A9A3DC87A6B0387B7C47B2ECB5F9FA3FB0445A75457D80C3BAB118C46546133EA2B9E119F438714335A108A8A7BD478382203340AAF564C6
Malicious:	true
Reputation:	low
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.U.n.i.n.s.t.a.l.l.\.S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r._.i.s.1.].....".I.n.n.o. .S.e.t.u.p.:. .S.e.t.u.p. .V.e.r.s.i.o.n.".=.".5...5...9. .(.u.).".....".I.n.n.o. .S.e.t.u.p.:. .A.p.p. .P.a.t.h.".=.".C.:.\.\.P.r.o.g.r.a.m.D.a.t.a.\.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.".....".I.n.s.t.a.l.l.L.o.c.a.t.i.o.n.".=.".C.:.\.\.P.r.o.g.r.a.m.D.a.t.a.\.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.\.".....".I.n.n.o. .S.e.t.u.p.:. .I.c.o.n. .G.r.o.u.p.".=.".S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r.".....".I.n.n.o. .S.e.t.u.p.:. .U.s.e.r.".=.".h.a.r.d.z.".....".I.n.n.o. .S.e.t.u.p.:. .L.a.n.g.u.a.g.e.".=.".e.n.g.l.i.s.h.".....".D.i.s.p.l.a.y.N.a.m.e.".=.".S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r. .1.1...5...1."...

C:\ProgramData\Spyrix Free Keylogger\temp\reg\is-0B1S9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 327 x 57
Category:	dropped
Size (bytes):	7609
Entropy (8bit):	7.838852889190603
Encrypted:	false
SSDEEP:	192:CRjl+OutIyaaHKip9QY5Lg6pWlicYMG5/b:OshLaIFUug6pGzo
MD5:	359D85C48DCA7C9C529A7EC0F4D30DC4
SHA1:	749EE1A5C90299C9360DD3131222CE92584FFCC2
SHA-256:	03BBB9C7C115C8FD5E2FB573B86687AE27672C7F8B970FB9661E5007FC6E42BE
SHA-512:	9494049C968B6BEE93090630086EB4D8129B48E5E6CBA3CF2E7EEF2114948316D0068F859594EA3A464AB2FE99510C1C94EEF786A933114C0CFC630C13435B1D
Malicious:	false
Reputation:	low
Preview:	GIF89aG.9....Gq.....$...Z...ud.........\|.........,&..........M5.................g.........................yv.....6.............v.72......g.L........C.................T.......m...kg.......eX...X}.k..{................s.......{..........................................n...................C......ZU..................................................`......D@.M........z........F..........\|..a....................i........................s.......UQ...............................4c...................?%....w.#Y.BBB.........000.........fff.....888TTTxxx.ZD..........................d.........................................................................r..*]....Q.....U..~............OM.......................................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\Spyrix Free Keylogger\temp\reg\is-11S5P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 884 x 198
Category:	dropped
Size (bytes):	90361
Entropy (8bit):	7.9769989580983625
Encrypted:	false
SSDEEP:	1536:Zy6BW/LDE6LyfJVEr+jMi2hm9YFrRUv9Ie2eIDtTER:M6eL46LCJVpCsy6IAIRe
MD5:	3475836FCF6BBE603D1E83DD8A3C4765
SHA1:	DD92253B2600C1612FDC657FFB41E4FD66352C6B
SHA-256:	F8E582779693B4DAB740E13721093D9B8EB69DC0FF5CFACB5208C04321BA37F8
SHA-512:	8AE5E48692962A7F8049521F3B3510F1F1B9EF7CAF4A40526D7D6286BBEB647CFA54D88AF9A8E03AD884A42AECBA677E0A229577A394CD228CDF98E0F99506E4
Malicious:	false
Reputation:	low
Preview:	GIF89at..........u.J................i]OOH..........mQ...K2..C$..............B.p..X...dH....V<........M........%#"...........z.....[&....x8#.........`..............,$.....}}}.._...d0......Hw.hih...L..............xK..q..v.............e(......~......`.z`..........g.;".......t..........Y....r+.....q....xd...........R...........ad\.......WA......a...Y).R......3... .....]CHA6.......n............z ....a<..2.b...................L0....%+...nst]cc......lnk..M..x....QD.....&........Y..;........syu^^X......~..........fnr..e..xL..................U.hV....`..j................D....g..R....^.....<5.vqCCC..84/..2..5../..;.....&....L%.r+...........).....................................................W..V.......v............R......WYW....?%.........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\Spyrix Free Keylogger\temp\reg\is-UNGJL.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.248529327128576
Encrypted:	false
SSDEEP:	3:N1KJS40dyTKVQXGNErnVernn:Cc40dyTK6XaErVer
MD5:	8F1A40DDD71F7EA45DF0E2FE0BACA597
SHA1:	E64C2983DE93F6566752E01BC0A2A5F3983759F6
SHA-256:	2360EAEBD32653D08F75DB2F1C2AE67F4AE3906D09F94AD4C532BA35951553D1
SHA-512:	C73BE7BE0C52CDAB4BA1E3022D9D1E1E2DBC897E34A4F243A7D8936BB7B4A2F46DF2BD1F6E7CA63F6A80C799E4EAD1EAEE38550683473EBF53FC8E2569112BBF
Malicious:	false
Reputation:	low
Preview:	http://www.spyrix.com/purchase.php?prg=sfk

C:\ProgramData\Spyrix Free Keylogger\temp\reg\ru\is-12C72.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.248529327128576
Encrypted:	false
SSDEEP:	3:N1KJS40dyTKVQXGNErnVernn:Cc40dyTK6XaErVer
MD5:	8F1A40DDD71F7EA45DF0E2FE0BACA597
SHA1:	E64C2983DE93F6566752E01BC0A2A5F3983759F6
SHA-256:	2360EAEBD32653D08F75DB2F1C2AE67F4AE3906D09F94AD4C532BA35951553D1
SHA-512:	C73BE7BE0C52CDAB4BA1E3022D9D1E1E2DBC897E34A4F243A7D8936BB7B4A2F46DF2BD1F6E7CA63F6A80C799E4EAD1EAEE38550683473EBF53FC8E2569112BBF
Malicious:	false
Reputation:	low
Preview:	http://www.spyrix.com/purchase.php?prg=sfk

C:\ProgramData\Spyrix Free Keylogger\temp\reg\ru\is-D4F46.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 327 x 57
Category:	dropped
Size (bytes):	7829
Entropy (8bit):	7.826687568770807
Encrypted:	false
SSDEEP:	192:ZwZ+70N539DtmJu0clifT2eTb6uRM3Q6q:Z0+QNftOcloTBTtRMHq
MD5:	241545A94AF6185978CFD96B32101E95
SHA1:	75FC98239798D933FD87978D7545964CE0E611D8
SHA-256:	01FD9E13EEF1D14C6C2B4E5EA16E40789FE5423715500C29A7DC58FDF2C1364F
SHA-512:	1A127A5EB9573418B3301A0E498B5335AEE0E99F87C8B4C12B6907476D49D1781264700A692FBE24971D405695AAE9BD5C4F40E95D10A1F26CBB0818A32899E1
Malicious:	false
Preview:	GIF89aG.9...............g.............r...w................m.............$.....Z...ud.........\|..............-(.......M5o...................h.............6{...........yu6.............w.83.........L.....>..d.........U....m...mj.......eYY~.k..{.............................w........c....................!r............p........W.........E.....ZU.......j.................................b.....Qw..D@.N......L.z......F.A...........\|..N......f.............x.........].......UQ.........................................`.....?%.w.#Y....BBB...fff............000...TTT888.....xxx.ZD.....................b.....>j....Iq...................................................@l.......~........Q..U..............4c.........._......OM.................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\Spyrix Free Keylogger\temp\reg\ru\is-LTAH2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 884 x 198
Category:	dropped
Size (bytes):	90699
Entropy (8bit):	7.976611505014986
Encrypted:	false
SSDEEP:	1536:TO6fc7nz/3pXEtubO/n9l7STXTQXsxalgH8UsX4UzAY3p18N14e86zebLqDf:BEzzRXEtubO/yTXTlxbrUDcu/8v4e8AH
MD5:	EF79CF8AABBC41E42025D3ACF51B36C9
SHA1:	71940D0E9D230D295D8A89397DF4ED0BA5BD72DA
SHA-256:	24D4AC7D4101A76F35F636660A92AD95E1C068065D17BB4F8CC27CD3C91402F8
SHA-512:	E579BEED091D3A4068AE664640BA0EDCFB309F0C7142CD452B45F79A69B6423A8237D9256C9A0E3FFE4F22EBC1C01D26B2BE79FD7B3E3E9643A1142A997E5902
Malicious:	false
Preview:	GIF89at.......s...............f[.......u..mQ...ONH.L1..C;................C+.qX....X.dH......W>...........M..........'&#.z....[&..x7".......................Y........+#{}}.......^...a.......hih...X..............zL....n..v..........e(........`.za..........j.7 .......m..........y.......u,......q....we.........T.............dd[.......WCi......e..Y*.R...4...!.....\BEC?..........n...............a>..b.Cy.............=CH.}.....M0....%+nst]dc......mpl.O...N..x....E?.....).....[..;.......sxq[^X......}.........c...fmr..~M..................L.k_...._..j.{.................D....f....a.....?(..{.\|{974..5...../..;.....&....L%.r+...........).......................................................................W....v...............R...YYW.......?%.........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\Spyrix Free Keylogger\temp\runprg.ini Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8962
Entropy (8bit):	5.256882439394726
Encrypted:	false
SSDEEP:	48:eI80Z8i66cG666666666666666a66a666A6666666666666pP6q9kRng6IbvuZzn:PZ37SeZDyzEMyvDG44Brg9UJ
MD5:	8432F5650E79B208D758026CF5BF338E
SHA1:	1ED26B889173F89DD8EAB1E41F7A32117B2C7247
SHA-256:	E95B4648A7331923EFB1D4A3FDA71F09E7EA8EB90A40DA829C4E8076E24CEECB
SHA-512:	E51F902DEEBED208265536A2789F877F0BC6DA7663ED557494DF132A50E5E9622899F91DDB1EBB1E5186363FFC4527DFB23B29D9F3A15D04D400D4C02EB5E2A8
Malicious:	false
Preview:	[winlogon.exe]..Description=Windows Logon Application..Path=C:\Windows\system32\winlogon.exe..[lsass.exe]..Description=Local Security Authority Process..Path=C:\Windows\system32\lsass.exe..[fontdrvhost.exe]..Description=Usermode Font Driver Host..Path=C:\Windows\system32\fontdrvhost.exe..Usermode Font Driver HostC:\Windows\system32\fontdrvhost.exe[svchost.exe]..Description=Host Process for Windows Services..Path=c:\windows\system32\svchost.exe..Host Process for Windows ServicesC:\Windows\system32\svchost.exeHost Process for Windows Servicesc:\windows\system32\svchost.exeHost Process for Windows Servicesc:\windows\system32\svchost.exe[dwm.exe]..Description=Desktop Window Manager..Path=C:\Windows\system32\dwm.exe..Host Process for Windows Servicesc:\windows\system32\svchost.exeHost Process for Windows Servicesc:\windows\system32\svchost.exeHost Process for Windows ServicesC:\Windows\system32\svchost.exeHost Process for Windows Servicesc:\windows\system32\svchost.exeHost Process for Windo

C:\ProgramData\Spyrix Free Keylogger\temp\start\Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 14 06:59:00 2020, length=5197960, window=hide
Category:	dropped
Size (bytes):	1875
Entropy (8bit):	3.4085532684014765
Encrypted:	false
SSDEEP:	24:8BoLzWNBzIgQqAU6YQ5X8sDVX8w4VX89kW0HYxeZ89ip1mC1mEm:8Ss0g8UPQ5M4+w4+9kWz99i1l
MD5:	99C50A578F755B5B7F2944321B54F172
SHA1:	36C177039F9D6E789CBB0E3327F821FD38EC912D
SHA-256:	AA4AEFAD2DF913661F730A40C2C2E98C8938B2F388F401323300274B3C664FD0
SHA-512:	CA7BD242D3933183A7599CE482DB692AB219064D0AE7185F2BAEAEEA908FA4F5E36AA59F59D2A7B755C4196B13B89B16D2F8CAB997C48D30FA32A94A73A13AB9
Malicious:	false
Preview:	L..................F.@.. .....:......Qj........z.....PO..........................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....Z.2..PO..P`? .spkl.exe..B......,Ri.,Ri...../i........................s.p.k.l...e.x.e.......m...............-.......l............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe..8.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.s.p.k.l...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.>.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.m.a.i.n...i.c.o.........%ALLUSERSPROFILE%\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\main.ico.........

C:\ProgramData\Spyrix Free Keylogger\temp\start\Uninstall Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 12 00:58:53 2021, length=1233133, window=hide
Category:	dropped
Size (bytes):	985
Entropy (8bit):	4.5973441775262405
Encrypted:	false
SSDEEP:	12:8m2ma0cmCgCweOLnZPOSipr8AjAkcS62LbX1OSddEbVX1OS7p56656FGm:8m28BzIvfAkz6YbX8kQVX80pP1m
MD5:	DE7239436E5DF210FA738C20EF2B7E87
SHA1:	D7A09F6405B5A4D5E68578A4A5730D96D93ED35F
SHA-256:	74AE6D864FDEB6917B2D051873BF1B426366770C30ED791FF72B1A6DADF35DC6
SHA-512:	AD4E92DE7120183CDB88AFE7DECCE0C1D3AD94E7C5B0BFFD182E43E38531F3AF0EA1C673F1DC5AD90F241FC4387F8F4F632A7F8DF02038F8CA175EDA4A786533
Malicious:	false
Preview:	L..................F.... ...........P@8.......z.................................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....f.2.....,R[. .unins000.exe..J......,Ri.,Ri.....>K....................7Ak.u.n.i.n.s.0.0.0...e.x.e.......q...............-.......p............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe..<.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.u.n.i.n.s.0.0.0...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.`.......X.......123716...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\ProgramData\Spyrix Free Keylogger\temp\stat\dlog\2021-01.wdb Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3013000
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.4925293635413527
Encrypted:	false
SSDEEP:	48:TZW+82paYaLa/2paKqLa/2parTlQpz5v6La/2paelwTlQpUKLa/2pa2ENalwTlQW:9Wc03a3sQ723jmQN33M0mQW
MD5:	2A6F593A71D4D55B09EBC6D6BA5CBC03
SHA1:	84290ACD2BA4A4D85F0C6CD0462C1C647345250E
SHA-256:	F9D71422F851EA3253909E3679DADF044680FDA55EE913B209CF5D00464F8ABB
SHA-512:	755928377F734B9691339CEB8A64E74FD21592483AA0E35760F05F6D18316B79DB767712B02AE390D3CB39B17A883911C81D03E650951746994A641EAE54C2C5
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................-........;....;........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Spyrix Free Keylogger\temp\stat\dlog\2021-01.wdb-journal Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	data
Category:	dropped
Size (bytes):	55972
Entropy (8bit):	0.4447428671258931
Encrypted:	false
SSDEEP:	48:qMIqZW+82pan9qaLa/2pa4S8TlQp8+BqqLa/2paQMHlwTlQpnq6La/2pax7:qNyWc013GiQ7Bl3IFmQlV32
MD5:	1AE3A16DFBDBF405B378033377304CE7
SHA1:	BF3EBEEFBA5C1B17BC0437C025C9FDAE2DFAB2FA
SHA-256:	E33985C5BAEAC13895B252DF2E6DE067A0902DACB13FB917545F8380F32A1C32
SHA-512:	EAAAC7343427DD7FC0276FAB178BADCD36C74AEEDE261ED7A82A1C2DEFA2F9D9CDA82A5A4AF88E7A40B6D2B8E68743F56D6B47C407D9E516A30753E8972C0295
Malicious:	false
Preview:	...............b.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-19DK8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	888
Entropy (8bit):	7.7525569355376955
Encrypted:	false
SSDEEP:	12:6v/7MyC90RfzncoB9d+Jfty3DKiuhnS1nWXpvQTMmy5ZKr+NLQymmFT040q11aZ2:eJ6iDKNdanodwMmyvKr2+40q1UFWVt
MD5:	D060EB33F8B5DFA18682625CE21C1F46
SHA1:	DEC3B1DE06D2D855408C16D93365711088BBE705
SHA-256:	F6C2720D108D96B429E82883EE44CE7EEC31F4194DA99391DC023D6797FA0886
SHA-512:	BBBCDC3E03214E686DCB05094ADE3A9FFB510CB5BF4DAF28B607BC50349C1B675074AE7EF4DB99E86A00C661B31473D858353EB3DB8734639E8FF00B71AAEC6A
Malicious:	false
Preview:	.PNG........IHDR................a...?IDATx.m.[l.U..33...N.e..m..n.mS....$...Z.. .....K..>..D..`h.D....@..... .4B...,...-.,.......t5....s......;./.huC..]./.d.M.0.3t0....u'.../..o...n-.U.~<..OS.`.-.n..a0..9<..._@U......m..\|....W..y.....g...;. J.e.C..s...5............./....i.".....6I..o...TF..#....=r`N.[.....>R.S..p.(...%.B.%....W{..-@....cr\|....D~.CF..3...q5W...*....k....&..58..40I.+V.."....A.f...e 9^.l....6:.Q....Z..i9..;..6..-.....aX<..1Kqc:w.L.\|\|.d K..V.....o8.6......qA...............;#.h........_I}..S..H.........$....`.A_R.\...r.D9.....fz\|%g....,...N.......n^...v...v;8..(Y.[..P......P0...AB".Rf..vl.On..C.u.(.C..I....h9....\..t..c.c...Xr~...}..^z...(..m....[L)..g.8]......2....v.7.......R..;...^..B........F....k...%.o2.. .^=Q.!.......b..%....P.T.U<v....(..A..w...........M1M7.SS..6fS.mB%..7.....M5....A9.:'...Q^..j...Y.s-.\ \|l......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-19SBS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	486
Entropy (8bit):	7.403940932243279
Encrypted:	false
SSDEEP:	12:6v/7H2DBCOIXU00QhP+CCTV44lVCcK8ajSR64+eg:C2MXURCCTCXcK8286Heg
MD5:	49CBAB461388899937D45CE5F40FEA6F
SHA1:	4333CFB198B2F8078D38159AE6F37CF2056AC6A9
SHA-256:	30DBAE48834681F6F8E6A6867B5A83582DFBCA8E61C51C8A189687055F1A9042
SHA-512:	5A0C295DC41860B4F650D82B43EFBB4F7369A7DCC6844F8837DA8708F531A4D4C17749152536219492ABAA5667FFC63C0547AB2BD257068CF9BCDD9C47492595
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..?K.P...3..?C.qi.T.E...,Up..kgg...b.......A.....8..."h...DDA.1...XJmKz..<...wo.... ....M..V.....o.2Q..e.#<`....E..l.....Y......m#..4...Fb2..D..Q7).K...b.i.....y...9`..^._Gv...a..T.j......1..D[.[...!}`.%....5........k...Y.....!z.u....\2!2....1 .H-.P\I)!......2B.!.[......`+....].F.1....F.I...(/..>}?.....v....w.C6C.H...E..w.v.S.q....?I...a......l<#~.....U....U.^.Q.( ~.G.thG/.....,R.).U.K?9.u........g...L_..wt../.....2.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-2EVNU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.949963945175186
Encrypted:	false
SSDEEP:	24:PE14x6qLv19cI/PRw1ZoPh+tV/HFm+TIe0WmY:s1ALtDtPh+tVvz0WB
MD5:	E929E2F2B14B9EC2EC42A663F3C7EEC2
SHA1:	2E66730E02EEDA9641153D48F408CECFB72E92F6
SHA-256:	A6DB330F99F450E9BBA286E6FE96B13DD8DA5079A7A1F8E191A09123C6A61906
SHA-512:	5AFBE7ABB77DA9F37D5E0392BE622C8AC8BA0C07F02430E5F5FEC624074F12ABA39BEFF2AA4D44CD3029886A8B71BE7AEAE9F6AED8A95D83369984EC39CF066C
Malicious:	false
Preview:	............ .h.......(....... ..... ........................................................E@...K...$..].......................................#.../...C...N0...]!..^...J..............................A&......P...U17>.FOX.Q\g.Vbm.z:..j)..J...].."............A..4^...C;@.OWa.Ual.ox...............^\.y5..g..x-..."......L...`...]%..................................j#..}7...G...5.T....8..Ic........................................<...K...O#..E.......A..h'..............w...v................I...u4..]$...F..Y!......v&.h&.............................V`j..C....@..m0...J..\|(......{)..E!..zq.ehm..........................C...n...<..S..z'.......7.g:.i7".....TUY..................rY..O..._ ..~3.....y(......K..\|7.{C#.._;..~E.^E0.{oj...~.lRP.e3...x3..v..q...;..v'......R...1..d9..yM.(:...v..<..v'..b....^...o$...>..y...+..i.#..........8q.}0..r.......N..h...^%...<..S.....?...1..p...................p"......{..w..W..L..N..A...5...*..u$..........................].:..-..J..;......\|(..y&..u

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-2OGR5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	921
Entropy (8bit):	7.692568178991757
Encrypted:	false
SSDEEP:	12:6v/7MIPvdQrswMHeAQQI/hnoG82ukRW61fAKmg0sLyVFIMVwIaJ2OnksgHDPkInc:MersR+SIZbnu+FXaYyVBtM2Oksgjlzv4
MD5:	A319CAB2BDD2363F2CE6F71874255367
SHA1:	606F86B9B032C74B9A88240A9A4933B4EA256C52
SHA-256:	0644CF298FE403904496AF78ADDCCDB46C1D3A324BC996A1423F9CC581EBFA39
SHA-512:	D74BB956EF9011436A44617B8DB7519F8335A10F55805BEC4CDB673F971E148614B9A4068146D182BB6024B5774C85CB35A4B10BEC5307F2C367179DEB45E07E
Malicious:	false
Preview:	.PNG........IHDR................a...`IDATx.].Mh.e..w.....Mf..k...BK..B+I..A.%...z(V..b.S...E.=..J...DR.R.P#..d..I..Iv...$......uczp..wx....K.o....;...8$.;Ax...).J..X..;.;...Ru/....<.J.b...`X9x.B.m@I..a-~...Q..p..V...[.....}.h_T.z.........m...6.b......-;..................#pD/........n9.g.....s...F9}..?..</......P..+o.Q.I`f/.^Ma./..\#..N.!..(c....R.S....=.....xX....L.S......}...X._~..8u\....&....p.......w.J..g............1..M...d...x6.......~..yr......[q.......^...@9.efr...:.J....8.O!...X...Y.}.........U."..sbYTm....6.O.5.....[.-.YBK_....W./..x....NVJ..g..e.c..a...../$..&.. sC.t./....].w.na.....4^..S.-..f..Mp....../......;.G.~.+...#..,..<....c.i...E,K&..4D{$.fVaL.\n.....l.WO....,.wL..W$...l.. ..!....c...T.?_e.]...Fd.....h.d..&...m.].4t.u#...^0..y.J....e...Rn..... ...1....U......Av\|}s\|...{#....1..T&......V]J.a..<f..\|..~.b...?U/...e.g..<wM.5.}.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-3N91F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.995757173580584
Encrypted:	false
SSDEEP:	24:kV8FtQm5AZDsVYmrJcEa7RjyWtYmmatOjk:k6FtQXwY2CEalWyYbatOjk
MD5:	D7F9CD5B7E1275B24EB50769BBBE3021
SHA1:	0B213D27ABDB5016B1805C2FCE5238196F48718C
SHA-256:	414BDEC0A45A95F08390272EDFFF615879E3D0116FFA38AE341770327C8A69ED
SHA-512:	8688C65B158C7F26424C9AF3E59382D7C59155D14377965B14277BE36D49012610D7ADC719E0CC6FFC3946B9D08174FC048E121FDB13104B7BD68365F15130DC
Malicious:	false
Preview:	............ .h.......(....... ..... ....................................................................................................................................................................................................................................................................................................................................................................................................................................................41..2/..................................................\|\|...#...'...'... ..tr......................................ig.."(...+...+......)...$..XW..............................RO....%...#-.. ,...,...+...+...%..87......................C@..63..01..-0..0..&...#-..$-...,.. -...&..#"..............=:..<8..96..74..52..22...1...1..)/..&...#-.."-...(...!..~{..C@..;8..?;..>:..?;..96..:6..74..42..01..21..-0..)/..%..."+...!..=:.=:..=:..<9..;8..85..64..41..3/../,..,)..)&..&%.."$...#..."............................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-4JVHB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.20340524330819
Encrypted:	false
SSDEEP:	12:F5e2nwbQh05puMPaz5NV9/COvwqsvuKMBwnwfqHtJZcaHqtMbHgGomu/HAmlMscR:aCupu0az5l5R4t7bHqkAN/H7WrefjU8W
MD5:	6974D5655CF050D09AEDEFB0A870B09C
SHA1:	2C87D6EFB277163490FFF31C594A5127E8D0B509
SHA-256:	A5761AE112ECB0B8CA16EDD77F9B112D983D7F8B0C229A8099E1A35B2E4F6993
SHA-512:	AA3DBE81C2BFDBDBF4EF81DE63685BEC3743762254476F278E1FC6956A39910E2C4A1E83E491AB579B107FC0496E134AB946800D7D2CA367AE4AF2E109B6741C
Malicious:	false
Preview:	............ .h.......(....... ..... .............................C.<&D.=SC.?AU.U.....J.@.E.>FC.=XE.=?U.U.........................I.B#B.;.B.;.B.<.C.;.C.;.B.;.B.;.B.;.C.;.C.;.U.U.....................F.>>B.;.B.;.].W................k.f.B.;.C.<.H.A'................F.>BB.;.................~....l.g.t.o.S.M.C.<.U.U.........f.f.C.<..}........a.\.........}............L.E.C.;.........D.;VB.;........n.i.............................C.;.U.U.....B.<.].W....._.Y.....~.z.B.;.B.;.J.D...............B.;.E.=?....C.<.j.e.....E.>.....P.I.B.;.B.;.B.;.......x.s.....B.;.C.=X....C.<.g.b.....O.H.....u.p.B.;.B.;.D.=...............B.;.E.>J....D.<\|D.>..................\|.w..................B.;.I.@.....E.>%C.;........T.N...............}.x........e._.B.;.............B.<{G.A.........z.u.D.>.B.;.X.R...........C.;.G.@$............U.U.B.<.G.@..........................}.C.;.B.=d....................U.U.B.<{C.;.F.?.l.f.t.o.c.].B.;.B.;.E.=;................................G.@$D.<\|C.<.C.<.C.;.D.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-53THT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	712
Entropy (8bit):	7.689986023244019
Encrypted:	false
SSDEEP:	12:6v/7hFFKT/SNQRb8l3lGQdnJ5l9hfP5Y3OLHLeTS8T38YuFc5Hdp8rMPLQX:2rW/SNQRgl38UnJ5Vfy3OjLZ8T38YuFz
MD5:	BA4DA486665B6C79F792A39BF6F03ACF
SHA1:	3746A3488D981870D9CDC6FE16DD6C8171DE6E0F
SHA-256:	5444F65B5694092DD587F8C3E8BB44E159556E45688C856BD5F9515FAD6FF2B8
SHA-512:	9C3D87AEB7C2E5CF5FC08DBF666E9DBBBE431EF71BB83D5C769C9F88DDFB41934C404D72985E320B6BAF0C9F1FF45E057B82C76EBA54BFA01BF2456533F3C0D5
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.S]HSa.~..;.gS..,KDSG6I....$..D..........B.X....].".EH.Be%.$^x......!.b.%..s..Y..%..q...>..>...4. .....&s.~W...X}./..YO....R............h.....Ju....$....e...ij.O...\..%..w..pp-..8I.x...5.]..u.$vo.J.(....b..h..TC.K...>1D.p(.po..5.i...}..:.eP..a..edGs.C.v.y2t..)...OGMA..$..J.v....)\|...$.7Ed~.E.[.J..1...n..'.......BaD..[.) ....(~.1PA...U^<@.y.=,5c\'(rYP[.@yN.0...\.)FV..Q......3.hK.Rb?.j.....j^....q"?.......-....'...)..'.QD...7..U.....^...w.g.........>.......o?e..o.>Bl.A.]+d....C..f4..C......7...?..V...RZ.;/D.V..(...G5"...G.wO.L.D..K-.m-. !......`M...p...evT.L..].....:.P.{...@L..R..r[..?.1.`...+N=...i@S"j2......2!.c....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-5NBD5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.984582163595734
Encrypted:	false
SSDEEP:	24:ltjzPCZMaBUC2R0pwXqeCvJX/JutpSu39Gl/GofW9y88rk:ltj05gBXqeCJ/8pSx/Gp9y88w
MD5:	4EAA9A0B583BB8C8A369753DBD0DD0EB
SHA1:	2D8F80DF55ADB806651E9B90C32C287825EFA9B6
SHA-256:	EABEFD31E31D5141F75E760FCF96F14844F0824BD20C3FAD28C6E7C6AF4342FB
SHA-512:	B4B5CE8697B0B195F5DFF361B7822207CBC8BB07A3318154A4652A663F9715958770B55ED9D8B0F5EE37AC5BCDD19C4D2389E7D644187B86762565ED27613D8D
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................................................................................................................t4..z9..z9..z9..t5.....................!.9.&.=.!.9.!.9..v4..q3..z9..H..E...D..z9..q3..q3........OG.X.=.O.-.C.`.v.`.v..x8..W..z9...M.f...5...+...%...+.../...?...I.[.\.s.8.O.[.o.[.o...D.....G...J...X...a...X...O...K...V...U...=...`.t.?.d.S...J...S...a...o...a...J...E.....y..d...B.....J...O...Q...Z...f...s...i...W...N........j............K...../...J...X...[...X...L...b....z.................z..Pi........R.eHc.w.m..s...........V....................U..U.............R.eoQ.d.O.b.M.`.L.^.g.Zl.W..W..W..W..W..W.....................:.JW9.J.9.I.9.I`.....q3$.z<.r3..{=.t5$........................:.K.......9.I......{=..\|......X..\|>.........................;.K......:.J......s4.........\|..v6.........................;.LE;.L.:.K.:.KN......@........t...A..............................................~?!..E..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-897LB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	830
Entropy (8bit):	7.743747035981289
Encrypted:	false
SSDEEP:	12:6v/7MppO0bioeoVRws0LZivpCt1BIwB2QG9Qs1Vzaok9cz7A1oLVDiDkaBx9q8rS:hg0OX6wVduQywAQG9vSkEQiDY5aA7
MD5:	EB5BFEE784207B0EED0CB53FB3CF7509
SHA1:	519EEA88024FE4ABBA292A5097D879D42EEFC813
SHA-256:	450B1779BBDB391E340B1A142C0F2AB89836F6E7BDEAA864F9D660059129F13E
SHA-512:	0404FF8FFCDB1F8A1935837883102FF113EC3E18E550544F7B33D8554D8DFE4EEAF3590A88E9C62A02AFCCDA0946E17BDF2700FD85CF84E912CDDDF09CB883E9
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.u.iHTQ......q2...f"K3...2.6[....5d......J..PadHE.m..mS9QD.E..Q.eaD..c.Fn.::.{...YM....{~...._.?..".Yqo...i&9,..W.ie..2....,x=.J.mR....sV...=w.\.....5.0'r...p...A.<.u.....j..~:...u..w...~Sf..Xc..a9../..<.1.....ks....9.7..Uf.D0....H......B...IR6.\$s..%.2.\|:.)!..[..0.....o......f.6....'Ud.(..x.#.c...v8..'......]....0.".T.Zn.>..}_......@...QP{.B....G..";&...&v}<.bj.....6a.m.f<.E......[....b.1./.....H.M9..Z........%q......bs......\|..%.z.wcp.Y.$.I......oJ.m......[s.'[...:..N[....\|.r...$.b......L7.B..M.n...jx.q!.2.!...I.^.!...6..>*.9.=..~Y.....L.dd..F~.8Pw..J-.mY.(~.c......7..W.f'.n.q1.D}..J...1....Re..t.,........A.g.Gy..x...\|.+c..+.2......f.....{.ui=.....@U...;...U.........Jz....o"...e...J.x.im..{...!.......O@s.O....0X.7f'K.g8......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-8SH8M.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.401447563259091
Encrypted:	false
SSDEEP:	24:GxwtVB49rxl+FrnlMxh8M2J382e416LZYuegYtTn2H:YwjBoxlyDlMxj2J3SC6uSuT2H
MD5:	54C24D9A4A0FECA1E1732A2A800FAC29
SHA1:	D089A770D1565011BF54CFF7DCD29885F5595340
SHA-256:	3BD7E6C88BC3E06CF51817BBCB9CE14895D22A71E96E571F108110A33273FF59
SHA-512:	B07A8DE23A7D69413BA31E7ADC81B9F0200D58F7F247F78E5453ABAF737FBAE35D60801E3A33AA2F62C27AEABC2F669CA38198111140BE989E2DD315F651BB56
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................#p-...0......E.........+...A.................................4.l...................z......%..J...............................5.v...... ...1......`.........................................6...]....-.R.K.u.5.H.#.6.=.j.,.L..m...".. f%.$S(.........)+A.:<..!....0I.1.?.`..1.A.+.C.f..9.V..W..............)f+.....12...............4g......\...p...9..z'...)...1...+..... .#.....$$M.&...F?..E?..&....@g......~...^....9.8.i.3.f...H.....'.%........m'><.2=..><..,.................~.#\|!.@.R.?.R...1..g..DT;T..s..!..............w..D...........".a..............v...5......$q#.'.;...)...".........!v%.[.{.C.i...............'.......'..?..5u4.U.m...W...5... ..\|.......\|...........r........>...I.O.c.'x&.\fQ6H.Q.4.U..s..l#...'...............!...!..g"...2.;.d.I.Z.TpKPaeU.XYK./($!.'.u..5...;...6..{"...&...;...:...-..7..),#.YaN.giZ.bhV.>C6......Z'.G.t...E...=..["...3...9...<.L.x."z1.....02.X^N.\bQ.KPA.HK>.F_BLY.q.m.../.N..&.^..>.Y.....

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-95L8E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.739434322498255
Encrypted:	false
SSDEEP:	12:iStQidpNKcrw3FGbVzh8MgzemLqu+kqkng6dPEAaRAdViNSOC09YzmLk:i4xuNYBzh8MkeZLRkng6q/RWmSDKYzR
MD5:	5782C8F6C70B8E884FCB822EEF286EBE
SHA1:	66776EDD49D55F0F440FD5DCCF38FC27147076C2
SHA-256:	C067BD4E1DDB1EDA87201D7BA65BEB416C56A9ED486D17454148E9A013A6BD32
SHA-512:	70366DDABF05D4A60C6AE09266A4911CE61268DE7C3E83292A627344AC048A1510F46B48A566790B986AB1264E3FF38FBCC552A3E60A9249D7F1D12E44657CBD
Malicious:	false
Preview:	............ .h.......(....... ..... .....................................................................................................................................................................),).....)().)()R....................................................),)JJMJ.kmk.)().989.................................................!$!.\Y\...101.kmk.....................................! !B!$!.)().wxw.........sqs.kik.RUR{9<9!................)()!!$!.RQR.................................cec.BEB.989.....),).)()................................................989.9<9.!$!.................................................xzx.{y{.)().),).........................................................)().101.........................................................)().),).........................................................!$!.)()ckmk.................................................JIJ.)()J....),).............................................ZYZ.)()s............101{Z]Z...........................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-9K8JO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.472732468708232
Encrypted:	false
SSDEEP:	24:eO+ZmtXn7q6EQAkkUNtYa1TBExcA8CNJF22222yLIXTN:eO+4p7q/QAtqTexR8M22222sIXZ
MD5:	F81E507FDAD67F58488CF3D937594180
SHA1:	59C646FB4F2808E0020BDF1728237F067B3264D2
SHA-256:	DCA19404AB1499715ED30AFCA88E4BD85371BADC6A51E1677EAEB1DFFC8CA289
SHA-512:	70FAB93C992E18FE77C53C2DAC203B2F599DCD888D55015E668B2DB149AE51BCA7DF6A772D5FB4633D038BFEB6CFBF4CF64C3384031E7DE4BC23BA6948171357
Malicious:	false
Preview:	............ .h.......(....... ..... .....@...............................................oL..pM...............................................n.3.y...\|..~...~...\|..y...n.5.............................y...................................y..1!...................\|...........................................}...............z.;..................1..\|..........0..............{.?......................$.....h.........p...................a...............\................................g.....+.......D.........................................../.../.......U.............................3............3.}...".."..".."..8.....................].....!.."..........%..&..&..&..&..&..&..W.............$..&..%..........'W.)..)..)..)..)..)..)..)..2..A..)..)..'[.............+..,..,..,..,..,..,..,..,..,..,..+......................./../../../../../../../............................%../e.0..1..1..1..1..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-AHS2A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.518492008840673
Encrypted:	false
SSDEEP:	24:XTZmE/ZYQwseqlUQQSbG1tHhRNyYkTHHSD:XTgEGiSnZiL8
MD5:	6F6B30B331D4B1B52218C3EE9F6008E5
SHA1:	99BB8C47F45B605BA74866586F9B2AC64CAE082A
SHA-256:	E5995C8370B5C383F7B3A60F3A79D3A67650A85C3A954D208E4736F4021BE24E
SHA-512:	1BA21D5611D96D7090F3A9E80E1DBBE34C390E02AA7145354F069253B0D440D488D24F385CC2A0A9469A9D5D9EFED10D4D1F15A8D36969497593A2B60903B885
Malicious:	false
Preview:	............ .h.......(....... ..... ...........................................................................................................v.........@...@...........................................p...Xy..........................p...................0...........X{..Y\|..Z~..[...\.....................0.................Wy..Xz..Y\|..Z}..[...\...........i...`.................P.....Wx..Wz..Y{..Z}..Z~..z...................`...j.........0.........Wy..X{..Y\|..Z~..........................`...`.........p.......Xz..Y\|..Z}..............q..........._..._..._.................Y{..Y}..y...........]...]...^...r......._..._...................Y\|..Z~..............\...]...............^...^...................Z}..y...............\...................]...]...................Z}................[...................]...\.........`...0.....d...Y}..........Z~..z...............[...\...p......... .............d...Y\|..Z}..Z}..d...y...Z}..Z}..Z}..e.......................................n...Y\|..Y\|.......

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-AP20J.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.275771912287761
Encrypted:	false
SSDEEP:	24:INtkHVr7SidRa/Obkfbw8H1y3LIseAevOGZ0bTsB:LVPS0a2AfjeIEeBZ0bTsB
MD5:	6A4FEA20675B423DC5B6AFC565BA2D57
SHA1:	D241A8C16A86789F1B28EAA58B164AE6C9457FC1
SHA-256:	73EC225A303B4A44537CBBCFEB5FC07BB8EEB9FDFE0FACA788309CC7C75F3F74
SHA-512:	2948886496B704F85A71549341A1D8E5DE36375CCC6FF79B0F95BB6FC755147DE35C6F556E02CFF916B5967F95891E1586F065DC329A68E057093032B485A4A0
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................................K.}.s......(...)........w...H.....!... .................W.#.n..&...<...M...i...k...[...C...+....q...K./.............W.#.u.....A...>...'......5~..&...;...G...2....x...V.,.........l.."...>...'...!T..-(..BA..MN..>=..)4..%...D...+....r.......[.j..../...5....J.."...("..63..=;..40..' ..!)../...8........p..p..$...8...+~....f.....$...)"..,&..(!..$........K..:.......v...}......>... F....4...d.......................\..+`.9...3........~..3...C...Ni......................................7...8........~..2...E...?d..z...............................f...9...9........}..0...L...Y...]...]...`...c...c...`...\...]...Y...N...8........r..1...U...\..._...v....xs.....}..........._...^...W...8....y...b.u....R...W...f........LA..........LA.....g...Z...V... ....w......r.....^...m...........................p...a.../....z..'........W.#.w..-...x...........................\|...1....z.....M.............W.#.s..&...k...................o.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-ATN0O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.3920224953533245
Encrypted:	false
SSDEEP:	12:6v/7drHlKbwPKM5RMujiE9hN+clw+798b7w6sJ:orHkbwSwMujiE1+V+JukJ
MD5:	694A53E27D606EC219A2701C6DD6926C
SHA1:	E2EF3DA049160DB18AC5AC2D770B3F05F219722A
SHA-256:	0AD6EB5F37D593E9096640D5C0440D108BE85DCBB0C726CB5E0C8802E1B3421B
SHA-512:	B246D42344E90922EFCCFAB836BADC30DBA8E370BEE29E03524B0310FCDC9FEB727BEF32EDB695DD42B72FC99543520B91D8179A83ECC479C709DB9077861216
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..K.a....[J..............D.4...I...Q8.iT.......D$-EC.%G.IP....R+.....4.{....s<......-....!.#H=..p........r....!...z=l6....o.8..$.T}...........N'...\....e.3...C8.n..3..R..-y.....j0cX.x.o...4...#!>!u...X..".....V+.!..<#{E.R.aj....J...,,....O.N..8O.C"... ..6R.l6.7B.....9..%.{.b.L..C.ET..v.=....P..x'.....V.s.V...A<w...9...\....T..E...\|...d;`....,G..O..#i..PD6.....5....n....4..<2.4......`.../S..u.>..;._........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-BG337.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1342
Entropy (8bit):	4.6359350276939795
Encrypted:	false
SSDEEP:	24:dji7RcfMBrFZ4SJP/eM3Oa6xkbHITYphkt:djUcfsr1xG9Ypmt
MD5:	DA65CA13005C823DFDB8A02C0F534EA1
SHA1:	555B00EAB24107ED4B1E86A30E634DED6A3B172C
SHA-256:	73A10CE1010DDF27AD68552766FD5803E9DDAFB7ACE123822E6EB2FD69954D9A
SHA-512:	576FC82838F477AB1806433240C1508184C1E00B5365A2F5719A3FA53DEFD4AE71A6ED5A262F5D174AAF089F46F677332D270C154AC6185E8616DF1D0E53BC17
Malicious:	false
Preview:	............ .(.......(....... ..... ........................................E...D...........................?.............................................d...~...............................\....M...d.>...m.G...C...C...C...C...F.....{...........................o.C...C...C...C...C...B...B...B...B...o.N................<........C...C...C...B...F.....e.......b.@.B.....\|........?........G...C...C...B...j.J.....................B...F.................C...C...B...n.P.........k.K..........n.B...C.................C...B...T.-.........F...B...C...C...B...C...C.................C...B..........`.=.B...C...C...C...C...C...C................C...A..............B...C...C...C...C...C...C.................H...B.............h.B...C...C...C...C...C...F..............1.......B...i.H....E...C...C...C...C...C...C.....\|........>...........x.Z.B...B...C...C...C...C...C...C...v.V................................J...C...C...C...C...H...........................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-DQF44.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	3.614804652904851
Encrypted:	false
SSDEEP:	24:Biiii8ibi0TiSDiiuYxId1diiiiSiiiwKrkIzpJi4arAJbJbJbJbJDg:Biiii8ibiaiSDiiTxIfdiiiiSiiiwKr2
MD5:	92E919F7716BFEC2191169F9D1513737
SHA1:	E7BEB2821E116084C0A516D754A0C7A534956BD6
SHA-256:	C5CB556AFCF8E5F48AA604646FFE93AEDE2607342C4AA93D70791ED8C4FFFE4B
SHA-512:	574F731D0220B353AEAC4B442E6ADED51CE54A7BE93BF3EFC3A7EB8F15161FAA3A1806C859C585ACCC351195AA0376608A5ED5B126DD552296D2305367008014
Malicious:	false
Preview:	............ .h.......(....... ..... .............................................\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.............................\|\|\|.\|\|\|.\|\|\|.........................\|\|\|.\|\|\|.\|\|\|.................\|\|\|.....\|\|\|.......=...$..Y...Q......\|\|\|.....\|\|\|.........\|\|\|.\|\|\|.\|\|\|.....\|\|\|.......T...7..n ..`%.....\|\|\|.....\|\|\|.\|\|\|.\|\|\|.\|\|\|.............\|\|\|...../.n...J...(..g'.....\|\|\|.............\|\|\|.\|\|\|.....\|\|\|.....\|\|\|..........a...,..u(.....\|\|\|.....\|\|\|.....\|\|\|.\|\|\|.............\|\|\|.....{....Z...3..z*.....\|\|\|.............\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.........................\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.................\|\|\|.....'.U...A..t3..o:.....\|\|\|.................................\|\|\|.......Y...7..q...\".....\|\|\|.................................\|\|\|.....{....\...-..r&.....\|\|\|.................................\|\|\|.....o.~...^.-.C.=.>.....\|\|\|.................................\|\|\|.........................\|\|\|.....................................\|\|\|.....\|\|\|.}}}.\|\|\|.\|\|\|.........................................\|\|\|.....\|\|\|...........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-EEF1R.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	2.89668669623498
Encrypted:	false
SSDEEP:	12:dDWdAyhFGViosMZNrBK5aTeiVIrSXgXdaguWUl:hxyTGVihMPBK52edrSXgtbUl
MD5:	2102DF54739C5E5FFEDDA31CE18A430E
SHA1:	B62D93ED6661FE4E0080D7CD575D0F81E8640D9B
SHA-256:	2DFDE998FEAC91E72BFDCDDF174000539C525233D4E3EA4744BD08EF70E6C9C0
SHA-512:	654F18D0C0F4309A8C559E4E0CB2D4497AABE9D9D5BDC51EA100CAF0455FC26702E0AA8390B3D7113CD7F752391B9A3283491B5A1623E0060F302EF2A816B7ED
Malicious:	false
Preview:	............ .h.......(....... ..... ............................"...........................................................".......................................................................................................................................................................................................................@.@.............9.9.............................................................................................................................................................................................................................................................................................................................................................................................................................H.H.........................................I.I.....................^.^.................................^.^.......................................................!.!...........................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-G7O97.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.042561065627236
Encrypted:	false
SSDEEP:	12:Fw3//////oXgAo////////go/P/wK/////YTQRY9K///pLKe//v7WVh5y//ze2JW:7BQC9BDRClcc3TIVBw0CC/6upx8y/V
MD5:	58BB5428EE336A048C0EAEDD11B08CBE
SHA1:	E40B41DCE19B4CEE84943905ACC31F0B624A22DC
SHA-256:	619AB6CC1EB6D48676BA555BFEC94798B8E043052967FAD42356E9D8BFCD08D9
SHA-512:	1424FE21796F05B1BB963F857BE61BD805775BC5F56B1A5ADBA8372057AEAFE01ED559EE9F29212BB74D9A1BF90F4F44DCC27AE09D1A02A674094BF8D7FA2045
Malicious:	false
Preview:	............ .h.......(....... ..... .............................................................................................................................../............../......................................................./.............._.............................................._................/...........................................................................................O...........`...P...........o...........................0...... .........O...................0...................."...a..............p......................................................................./....+..1...q..............X..1..1..1..1..(............(...H...H.............H...H..........j...H................Z...`...`...j...........................s...M................p...w...w...w.........................`......`.............P...............\|.........s...

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-HIK1U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	586
Entropy (8bit):	7.630848437869861
Encrypted:	false
SSDEEP:	12:6v/7czkgzR/pOsg/sx7MiqeJACAHDTOipuwsOmA8PJO/Y7:xQgzRBX6e7nmC+puF9U/Y7
MD5:	FA83ECDD6AFBEFE0DD30A620574872DE
SHA1:	8B3299A9244809F9541BFFB7A1CCD8D58AB53EB0
SHA-256:	9AEA100DC1DCFA58A542BD9294F67B454CFD8669CC199F6C43ECD9A4C3E99E1D
SHA-512:	202937104E00E187A4CCB1D3D2352F19E1966E71DF015D1E5E529B3C148D4A91FCFF18C0D0A08CB23660962BEC06417D1EABD47D0F48A07A5DB22DFC4EB6048D
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.RAk.`.~c;.U..x..._P0..).t./....":$.......2iuu......O...VH.A>..^..S.....l...H...........}... ....II.E..".$ID....`_X.5.e..q.....q..@RK.U..=..MUT^..!..!hC..X.^....v..RG..j..).&.q.0.oM....Ah..w.....PJgj.....U...^..?.a`......3_..]..)..{9.......P\).z...t.-......pB..Z.QZ).........>...O..C.....%.....O.>q.4....kS...{..... ..Ks.....v.N.....H.<.kb.;....U0f.G..J.._.......?.......q?..-...U....[3v....&.D.Q5.G...IY..7?o...C..,..%*.e.=..~.g.......D.X.Q..]........`+..W.J.^..y.Wm.._..,5....1.sXU.o..<._.....J..Wa.g7....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-K3TN6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.304963365030796
Encrypted:	false
SSDEEP:	24:cKwiwjHRFNgmsPn71386ICxQo0hkNNNNN9:cMwjxFpi386Yo0ib
MD5:	19A1D5E299A9AEEF8E449AE555935968
SHA1:	E7C1EA89DE88FEE6B616ABBE5365C5AA3E42F672
SHA-256:	27CC231887F86DDB6FF938C1FBBC2CE319057BF90382B764AF86ED3F9C47CCB8
SHA-512:	973CCD95A012657F00B195AF3558E5E67B2AD194F9261EC3E8FD9FFC4F423E10A730E4D0ABFC4243F91FAD35097BE09D1DD0D1646CFCF1821F1928E23015CB8E
Malicious:	false
Preview:	............ .h.......(....... ..... ...............................................................u...................U...................................@'''.....................[[[....U...........................5kkk.............................OOO.........................))).................J4..:)..@@@........................................qqq.SV..w.,...+.....oN...............................*..............\|./...<...@.mL...........................@...j....bbb.0!........N........s0.....aaa%...........U....[[[.........KKK..m...B.....u.....aaa%............zzz......................................_...............U................GGG.....\\\.PPP.............................OOO.........@@@.6C..h...}...>...........................................J4....+.{.....,.............................................HHH.l...-...I...~..D.................................333.........lL.............f.KKK0............................... ggg..........t......T.aaaJ..........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-KS7HO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	563
Entropy (8bit):	7.517174524579319
Encrypted:	false
SSDEEP:	12:6v/7w//AIiO/vrFWdRdGBvXRwnHbMwigmsA7F9fS6ofSZHRQX+K:FB/vrEDdGh0ig8zKzSFk+K
MD5:	DB972EE37A5D0AEF2AEA2FE741B82C1D
SHA1:	C286B9CFEDA3CB6D3E19E1D7747790C52D84D377
SHA-256:	6A09E141A38F22AF46750BA3186AB260B0C566DDCA209B083623D8305BDF14A2
SHA-512:	9F35E67F88A4A250F8F983C8273DFD76F07A8CEEFBF54BA97D73FD1AB4C62508D8999AACD204E73CD04B86A0556AF895CA4BC07A722FB3D6143B7B07FF20BFF6
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx...O.A...v...aU<..b.@.F8y!..;.J ..{.w)^ML..../-..0!....GBS.=...v.......v...If.....;.......}.9...k......Q[...YV.........y\|.I\....QUb.....^ HN.....F.y...0r#.d...+.>.`.".....\|....:b..sB.xq..~..]$(U.G....M.;?]\|.....0..I.$\|..7.xz.@....R-......../.....,7C.%.<.".....0N.\|. ........[UU]....0....=.f.2........G...C..p.. ....h...(...r...dR.I.]..h{.d...z~......s_.(U\|..(<J ._.<.+.#,.su3.^.Q&.....ir.j.V....E}...C>.o.m...A..;......E..C./..J...!..I.*....8ij...W._.@;..[.....O.......-V.xD8.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-L53CJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	786
Entropy (8bit):	7.667079474837334
Encrypted:	false
SSDEEP:	12:6v/7auxjxCwxayWi4r6JPSKu0G1dEnJrZkTAilExOZgaMGQC23gdHtCDswPoLrQJ:Yhgwu6JaPE8aK8GMZPPo3FlEpb6K
MD5:	60B69382DCB4792F0853815F1C3DC793
SHA1:	EF08278795D17F21D3BDE98A44CB5247E18FB6E3
SHA-256:	884887A5D27E4B1F683CF9BA3549797E9F2ACD7763144839CF690C87E38D348A
SHA-512:	115E4BC5A59F02C9F8B72541F256EE683A7FB2DF2F16C560894B83AF2141659553937FAE4FC0246561F7EAFB8E921A1A081F3BEA89825A32BABF96AF00880663
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.}._H.A......uzu.^d...bV..b.).I.$.P.BP.a)......4..FT.=DXf.Y..f.QV...%!5M.<.\..L....P......33...A.y.z...,"...a....5.f.V....W.3\.vRce..H..c.:F.P2..W..,.v'.....an=zo}....H..J.Tk,`..$.aV$@.`.!.>.c...p..i{........(E..!...u90.b....}t.d....L.j.3..4..>}...re..D.W.:.a.!7.V..}{.:1.b.A.>.x.lr..E.y.......\2..&..:8rw@.Q..E..1.LEL....[....X....9p..tF..S.P...........)+...OCm9...?.`...<+...8.N..F...[ ......='..p.9...P........Ua@....1.>...>.(+L.M..HC.X)...H.......h.&.j..$......\|..A.r......w...!..C......0..k#..,R...7,9..............^...'A.>L.<..;.p.,......1..%.bb!?{.mt.....>{....E..dD.W..eZ....9)f....3..W..+Q.......p....v7.C...E...h.a..7}....Q..ME..n.+).p.U..7.%......46..'.S.J........h%.......H...!C'j.4}.7.3[\|h.nQ....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-LDOM6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	675
Entropy (8bit):	7.483904311870301
Encrypted:	false
SSDEEP:	12:6v/7doMHmeia+juikJeSnm7XW6rJ5XUkABLVsHAVSjneDkMC1:Ao9La+juxnm55uLPs1
MD5:	BD04877B6C91557B84463719664B0292
SHA1:	6B5783097D914F8A463363843B8D24C6C933DDFE
SHA-256:	B2FE786345D8E1802BAA576C0E359240EA2811BCAB1BADB433743792BB9FAA77
SHA-512:	715C6079A00306A46E221C432336B1A4AD23DA6D8AB6BDE7D9F992DF162AAA04D9332D3BAF84DBD6CBA0D4160DE4DE773F266F556CBBEAA015A5D54DC078D33E
Malicious:	false
Preview:	.PNG........IHDR................a...jIDATx.cd... 6.bQ(.+....o...#.+....gee..\|...o...R.l;....{qg.....5...k.......Qy.)....r..8...4.c..=.Wo.u...8...........tb.J....s..^..S~..c...\..XPQQ.H......>..b......._V.+g..:.N]...........O....._`X.>.........o..&.".^....5..C.M........8y...3f..s..../_...a..>.@Q.PUU....-...6,.>...(.AJJj!..0.,,....!...+ &&&.......xT.S...Z:HC...O.>../,X. .....l.%(...........m..F.W..N....:..SV>X...:q.DGF..@k.].XYYy..Cf..7.J(...e.``...p`.........~...../.....t..O.}P.W.....q....}...;h.....e........A..v.......L....~.. .&0s...{...i...fggO-,,.......={..$......333..3......Kkjj.@...~..kWW..K.N d.8<....;0...[.x5..\.'.i......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-M6QCT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	838
Entropy (8bit):	7.7197016545374275
Encrypted:	false
SSDEEP:	12:6v/7Mx+Nre92kjEfcc8YhUaUuYE67bCIUMn+VnMUHAqOIjaDD/yJgQGToLYZFN:Z+LqERhUO67bCIZfmAajkj3tyYjN
MD5:	D9F77B09484FECF86DAB1E27B61481C3
SHA1:	D514C22AC2A1AC4B0826E38C48BABD9CBB077F9F
SHA-256:	CBFBDC4F27D2DE65E5F38B4233C967F1781449DE939BDF7451F2548511CF8F95
SHA-512:	606E0E9800296568C06F6015BB6DF091D5B75E516056032FB28CA1508E67AA0E8BBAC978981CA9FF492F54A7CFE02DF233042442F707588E6E8CFD82C7F8B93C
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..kHSa......t.4..kj...I0)l.y...ZF.Fe.D.%K.K.....FVH..A.Y..Z..E. .".L..sz.,.\|.}.....wx...O....>... \|.x(x.;!..;S..n..' ...o;.y.TJ!.E)"!.xbh...^..V......,....vG....%.E...7......o]v.l.a..1<_jN24L.hL..,..5q..a.q.V..C.p...=fcup..B.........X^..t......Z.lSX.le@.J..\..kh.B...a.].}(eJl....=e.~..,:C....Sw1..//...W. cd(.[...g0<>....hT.8n.C.<D.i..}`.1...=E.9s~.)u-2............c.m..G.pN..(...:.!a$Y?.W...rN,.A.9...u.X.0292.....Q'.7..T".M...\|...#....".2z'.i.i...,X....+TT7..S..k+..D'...R..q....p....n.`..\..btr..T......D.M...Op.vr,H.T..-.../Fm..T..{....*XG.X...o..qOt`GD..}~....0..Ytm.S{.5.Hvs.mE..yn...=.uC.N....;..O:.....i..R......R.Ix......../..o...x>........7jZ..61.1....6..#..<H. .x...."..H..r...iY.S".Ob.......:cf..L,.9NI...Hgu.........4..`......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-NCOG1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	604
Entropy (8bit):	7.566535696722621
Encrypted:	false
SSDEEP:	12:6v/71+R52wdTd01ObCNVVeNROSj6OjPXgEFE7LEgcuq/yp61MVKCXXN:bR5RG1iwVsRPj68vgvEgcN/RKVBXN
MD5:	4AC295DB7E483693981CDE5340D6DD06
SHA1:	2940C14BCC2C1C975D7DC484C43618F8028350A3
SHA-256:	5DF1EB6894459E748C599DEA4119DBD85F8EE024A7932ADC49E80AED7BC3CDE2
SHA-512:	05562C55530620A0860B6E636C45F035ACAFFF4F468B3F29491D909C795102377F778951033B93A8C143D87D7F779E03381E415B914EB1E8198EB0E838243E18
Malicious:	false
Preview:	.PNG........IHDR................a...#IDATx.S.k.Q..f7b.j.m).c+.h.F.(.......?@.....x..^..A/J....TAk......&b]-".....yo...evf.........LP9=...........ZH.!.....1..r.*.....u......8bi..$b...~..m,..&k..47=.U..A...Z......M...9N..4V.._C.....o.. b.nN"..OE....d.].1A...\|.C..}85;...@Bp.t.A..wW.B7......&.Q......D..p..}l...Bm..j..K#E..Y.t.pc.._<G....r_...X.;1..w...f.......b...uK..XF..c\|y..{...../a......<...+....F.......r..<..Je..k.y....08v.kk....\|>.r.,.............J...}..f...M.\|'Z.6.m....;3..B'.Mo........pf3.v.....>....4cL&m.F......&1+.... )....kri.......g...ip;...A.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-OK28S.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.511795576297305
Encrypted:	false
SSDEEP:	12:ON6zzzzzKMSSSSSMa5HVyx7UmImSoH2bnDIjPNNJOtDrc53VrVOt/bQt8wQHz/HC:OD5H4lUbJfUIQ4lQ4j+HPKoCP652q
MD5:	9A89DE631D87C981A0AF3C07FD4AF610
SHA1:	6A5EE66ADA6C57C1FB8B142514DEE3272FF21605
SHA-256:	5E9C12BB009E1DB9568B273B53EBCA3500C3E6D113961729ADF98012FEE299B8
SHA-512:	B3F9BB8803CEAE7E33611BDED0C236C0A14DC6DE730A15910BD80ED15D1CF63BF8A83449E4EB83F593F9FC82C7E4C775AD799A206D3EEC93F8EA99B3746D005F
Malicious:	false
Preview:	............ .h.......(....... ..... .................................\|~..\|..1\|..2\|..2\|..2\|..2\|..2\|..2\|..2\|..2\|~. }.................BI..{..#..."..."..."..."..."..."..."...#... ....AcY[c.Y[c......-...>.. @.. @.. @.. @.. @.. @.. @.. @.. @...?...(..Z]n-Z]n-...-$B..#D..#D.."C..!C.."C..!B.."C.. A..!B..#D..#D...<.._g.M_g.M.../(G..#F.."E..?]..........Ur..<[......]x..$G..#F...A..bl.Obl.O.../(I.."G..,O..............................2T.."G...C..bm.Obm.O.../(K.. H..Qn..........Kh..............<^..#J..#J...E..bn.Obn.O.../(M...I..g.......k....G..$L..........3Z.."K..#L...G..bn.Obn.O.../'P...L..`~......g....L...L..........Qv...M.."O...J..bo.Obo.O.../'R.. P..Bh..........!Q...N..^}......Z}...O.."Q...L..bp.Obp.O.../'T.."T..%T..........r...*[..-[..Ot..h...9g..!S...N..bq.Obq.O.../'V.."V.. U..@i..........................6f..!U...P..bq.Obq.O...-'Y.."Y.."Y.. W..=h..................\...!X.."Y...S..br.Lbr.L...."P..!].."\.."\.. [..!Y..-a..3e..(_.. Z.."\.."]...M..^g~(^g~(....+N.B,_..)^..)^..)^..)_..(^..(^..)^..)^

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-P3SDT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.54214238379203
Encrypted:	false
SSDEEP:	24:6eIPdVt3Mxoi5U7YoFhqG0f9tX9vWHpWcd9JU:6NCSFhqlvWHpWcd96
MD5:	A7F6DC763A6C440673C6A65E1174379F
SHA1:	E3FE4B3EA5D58231C0326BD5BA9BC1A15D6C095D
SHA-256:	442AEC90EE87A5859CB87703F0ADA203796A24A36F8FA7AAA5C80E87995F1E65
SHA-512:	6A06B633363C13F056B8A23CEB3D507427F26DEC1844A043D49B99BB7F95C18BA21A1F08457E7A714F17A6D1A04ECC6DCEDB855D439E5D881F6D3CFB3C7517CB
Malicious:	false
Preview:	............ .h.......(....... ..... .............................9z.q6t..0q../v..'f..3g......-Y.i.X..7w..:{..6w..9{.z............,~..G...!.......D............E.......,...)...0................r.>1...M...............................6...6....v.'................7.......................................5.................#...#SM......./G..2I..........................Vw.. ..\........1"&...#.^hw.....,A..@Q..........................&...$...$.......A22.-.#.C?F......-...-..4O..Mf..~...............&...%...8/......C44K<./.=:n..+...6..'E...=..%I..3S...?...2..%;..).(.0$&.?43K......../+`..)......%0..@O...'...,......-...$...5..-2..('g.).!..........$.0!2......................................$0...)................y...[..".........Z...(...............$."...A.....................+ #.,.".+.".....................&.".%.".5.-."...................-"%.6&(.2#$...........o.........!...%.".,''.....................-#$)P;:.Q96.....................&.!.%.!." .5........................I97`fMJ.J53.0#%.*.".(.!.'.!.&

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-PITLA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	946
Entropy (8bit):	7.732040020903732
Encrypted:	false
SSDEEP:	12:6v/7Md+AhCq2Ci1b9Hm4UEtkvfdjXxYoCa0jn5/Pt1hC5VbxePpNS/XnxQmHm3EZ:hwRUEtWzxvC1RPpC5Vd4NS/Xnxjnn
MD5:	2F8627CE7D0210CE8A83A237AC9E7FFB
SHA1:	1F7C014538E93EDF5EAB0721AB007C946EDE8130
SHA-256:	CD701C56968BF7138417063032D62ADAFC272C8C6FC98D527AEA342359DA0F7D
SHA-512:	CCDA7916E676BA730D0FE9F803E9CFFF37BEED65B9DA776DA6113B33A75ED351E699D9923B68D37AD83BA04A123815A160E53F24840DF73580802AA510BFF81F
Malicious:	false
Preview:	.PNG........IHDR................a...yIDATx.mSmlSU.~.mo..s...].I[....2..]c..($K.D...1.jP....2...HH4.D...3!.c..c...l...M...]........u?..{sN.7'O....!......N.d'mP.4.kf#.L...N..J......H.,...F..$ ..._. .".B.B.dO.....?.7.?...]Q`...f.-. ).22..,.,W.x..f.X....l>z....{...I..`<b.....4,U5..[.U.KSq,f.H&.{g....2...#.Pt)....aJ.g...[?...{@<.<L.....m...3n..oG..d.\_{.h..=...>L...NC.v..#.h...cu..........%l{...a(c.H./..h}.h.v_13U..5...b....I....W.e.Y.?.-...h....-..M..y8....'.._b..#E/.Q...'<.8.n. I.O$...^.C..8.Z3n...XM....................V3..c..6.@V..P`...=LNL.6.....(l...)A...-S...c."...\|...N....;}J. ...Q...2h.....tt...R....~z.I(.._.L....z?Z.jd...$I.@D!..-....G..0iA))Y..k.r.n.H.S!...m..:j.p:..-[... ......_........).UL#7...?9.l$..Q.V.6.".N.^...k,6.1.CZ.".....!....";.....e..e.]..VV..^Rb...&c.UW...f-m1.tn..2.....`....Y........B.f.e.......`.k*.z..".......W q.U."dZJW.3o.'.u...?..O........m V.......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-QL6MH.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	763
Entropy (8bit):	7.6950381846314215
Encrypted:	false
SSDEEP:	12:6v/71dxGeeaA/as1IpxNhX3HqPPwVS2TgW41SeJq5RXB4f4a:oqeeaAT1IpxNhKXNW5VBO4a
MD5:	F38AF891CBBDCD155644E65363A01520
SHA1:	BA161945A3E87EA2B3735165854E8AEF28B4F201
SHA-256:	DEF30878F80E5B00CE9F334170DD6369127C52E03959F5673B7193D8B21EE80D
SHA-512:	AFB7BD4EECEF8B2E9E082E3A7203DC393E92683B4AD2B301072A4BC8C22D710AF740BC553EE92997C714FD80F993A3BE0257EC09FF46C75AEEC3EB615553613C
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..iHTQ...o..of..mT,M.@..Q).R"A.......Yb~0+..,../.}.>....X...J..DV..6.3..t.w{c$A.A....=.w.{....j'.....4-.K$T...W.w$...3m.H........ZT._.t6$..4.....\Z.....#.Z.....V.Og.....Z.oxm._..F..:.;,..0..1.Y.i..^....;qs..}..F..m.6].....JH..W.1.......D.....Rn..!O..T,%..z.........{(........,._.....&....#...........9">..#N..?....l.D.dO..&.....4....0..V}$b"u...ly..0....].F....S........b.....U......P.....@&.B....0.A.\~}A....I!..Eg..0.Z...M^........O.2.Z_.4.Jpv..6C...D.td.....94Db..E..7..,.J...J-..2..,..8T....p.#C.k..SU.y..g[..~a^.q.=.C6k....w.IT+4../...eY..p.P..En.....rY... "j.... .^..l......:.p}PS6P........o...fdD..8.S.&..(Z...A...uqD...f.Y.i2.{?s...}.fMNK..u.].z3.....'....K.R....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-RSB7I.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	1.0136328376606665
Encrypted:	false
SSDEEP:	12:A555L5rr5r5r5r5Lr5L5r5L5L5555555L5556DGkD7GPMg:CiGEg
MD5:	D71543D4396E09496F7724F2EB51819D
SHA1:	8C60CABA094161202D8FCBF5E787E83E586A73D5
SHA-256:	52440F7AC22968C6FB7AB07ECB382F8F047B4EB3989843BF5F396B965F2BECFE
SHA-512:	1A6A95B7FDD731F6CFB55F62DB567DD4EC162872081B8B19DF9BDE1530765FB4ED683959B43E73C1E222389EFEA7554401188B4AE0D65ED3BAE4CD124C21A982
Malicious:	false
Preview:	............ .h.......(....... ..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-RVEV0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	318
Entropy (8bit):	6.697181871409298
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+aWg7NSRAkPY+kW37wjNaI79UL00H3zSiw2p:6v/78/2VRZbW37wV9UL00N
MD5:	E472E7B1F2BF2829B8625C32CB02B0A8
SHA1:	49275242752EEC7DFB1ED14A2968F02439EAE54D
SHA-256:	FA0F63928ABF3B36BE9D310A257CABD413B7E7B7D7D92A0975C7FAA7CB2F370E
SHA-512:	02E865BF6802EF4B3851E87A3E0C984395D5A90FFD7C6282F858E8ED2A74769BD968C637ABCC710BE3290CD0D947FBC5620FBA3510CB3ABB29991278F20C44B8
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.paint.net 4.0.134.[z....IDAT8O....P...J...@ ... ....Hv.@v.D%........`....M^.=Mh8.4.{i.6....8...m.c@.....a..q...l...'..c...R.Aas.qJg1.......;1.....~.....b.....{u.dt...^.....`..:72..Ru'..2..4_......].....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-UAREM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1001
Entropy (8bit):	7.758725240902144
Encrypted:	false
SSDEEP:	24:PLiyUaMQzTd2JxkVLDF0b5YPQfmCmGnX49:DFKmR6kVne5YPxCmEa
MD5:	5B29258244BCAD93923044B9CA6349A1
SHA1:	CC6CC6ABE4420DFA97552F5A1FF0DACA652AACE6
SHA-256:	A7D4C1C8C6FCEC92068D60D0DEFBAA38EA75010D01EA753FC913749CC89E8FDF
SHA-512:	AA8345E54E397D1AECE33F8CBE66B12AAB5F373109C787DE7C8C23BB0949A2B184CC1FB2E08CFA66F7374ABFD26EAA21D85857C74B67AEE31590A197971AF15C
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.MS{L[u.=.{o.K{)miy..<G......sF.#..d..;F.#S.-:53.ht31n..BLD.0..9E.3,u.s!.2....W_./.....k.h8._.9...\|.s.7(..!..D..&.g..m.9..D.......-..r..#....!.N.V.+U..tu#".!K2..........db\|"}.?.[s\>....x.....1....T.......z....;......lgv.4.\...\|~,...{....Mk........s...&To..y...H..........l.}m.h).....l.`k...@.O.....6$.N8[...k\"...m.'8....o....i..<......X.HM..Z.H..4R&..P.:k.7..?.zH.....9v.u.`..E..\|Dy...UP3Z.5)..).~5.."..H....v...>..H.......f!u.iEF@.M..k..]......NM".1.K.....,....0(}Dl.%...D.D@"...hp^.C[.g.c@$..w_.K...B.&u`\|..\|..66.>@(...r.......`t......#....i...J..,.....T....oN.V...%.......H.n.v.%...i/.4D..)....w<".=...+ +.......Xw."....\|...s.%..#/g5...8..@...l...........[.E&.`%...w......t.U....w99Z...A...F.v.:(M.O<..W..{x!.z4..)p.<.G..Z.X..A...tu........n.n...9.hy..>...~o....i....1.....O...ZK......&.f=...SW../`\M.......".Yds.R..:.CY...~+srI.@...E.?f...W...aI..,\Xyy.........u..G...{...D.P.....X-...k.b..D.Y^.........1....IEND.B`

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-UU3L8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.626939687751021
Encrypted:	false
SSDEEP:	12:6v/7xDWhiMwp8cPv8arNXzjOxin+3sSsNGI+dlb1TXiaG/deT7gYIaMXv3wjxyUU:mDmiMc8cPv8apjjOxA+3sDNGI+pyN/dH
MD5:	19F3CB0BD386402E675788B7D56970F4
SHA1:	EB8E440BC41C57BFEAA8E684C1E95008A3B53161
SHA-256:	12EDB57B3DC1F4FC152FB9DC44E69E669182C36A543E3F9335B14E7BF9AA4787
SHA-512:	030099A142FB428E231C9050304EA59BBFA9AF9E281FCFF0E80F3A2DA4113AA0953D0CD629B269310A47EC901279BB7C0FF5C2C922342AD813296832065022BF
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..ML.Q....m....D..('...P...r.r1...1....... .^.b.1.?b...#z....&~..L(zP..F..nK..^.....L...7.....C.....y...;m!...!c.e...dUhf....&.^K.Ce.f.V........M..@a..R.k..&.....l:..E..W.H.0.....\8+LC..2..r....!........G18..\g...r...ca:!5....\)N.......77PVaF......q...p.....`..sI)....%.E.z.`.]...(5.?O.^.%....X...kLRz<.<.......jO...@..F\jP.g.....W...\.H.......:..:...l.&H....L.x7....-:JQ...{..e=..p..(..?.....R.P.8j.T.6....t..f.VC)\|..3.g8..q..%.kn....#S...........e.....r4_g()g....ER..?d..+i...Nc3U.B....)...#...q...j...g..U..0)P.S1VQ..R....q..t..C..$5R....~Y...Be.....Y@j.....J...X. .y...6z..B...p.J.y...a..b...)....fb.t..7.@.6&...m..>/j........Z.......(f.U.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-0B2TM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.760005259103538
Encrypted:	false
SSDEEP:	48:9cPueb/98+LRtKVF/7x5qcUuD4oxp7SJU9Jhni4GZ9h2u0Kuq+j6vQuQ:efO8Yx42Jhni4GUuLuhmY/
MD5:	6EDC10A9110ACA8413A654526A2C9A08
SHA1:	74515C9BAEE2A5CA04CBF57A179F98FFA650B890
SHA-256:	E15B8D976729695D510F6CD60E047006F57D09DCF477A58F7D3CF09ED9A34AAA
SHA-512:	1E02B7F6028872398FA087B6BCA84E7F5B5D85BBB14BE1F05F576AAC4E531127A2B5919095C8479838F98CDCCBBE8274891A355857515F94061FF2B8D4D286B1
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-1AOEA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	5182
Entropy (8bit):	4.429830209492408
Encrypted:	false
SSDEEP:	48:Rd9W4lzzzzzYXFrNmoN03g+iIsaDBYFGmGW2PD51s2ARAAR/sAye8:dW4gnJLI7DBolGW2r51dARAARRye
MD5:	31B5594B3A3289FB258A4EFBAC38F230
SHA1:	E41016FBE49B5B9B292EFC5C252F73452E55B409
SHA-256:	3B0521E3291E2F330873A66864C3DAC163E8E5DA9D62518C4541B38A979DE7B8
SHA-512:	825F05B05B7A0182B8F87AFCF12BD4FA1B4CF9712D39FCF13058BE32C11091145432273B443F955BEAABB995573252BD7006103E03645107FF434C8EFCC90EA6
Malicious:	false
Preview:	...... .... .(.......(... ...@..... ....................................................................................................................................................................?...................................................*......................................................................................v.../...................o.................................o.................................................................................................................................................................................................................................j.q.W.n.T.{.d..........................l.......................................=..........i.z.c...............^.>.A...A...A...A...A...A...A...A...T.4..................................................................B...B...B...K.&.B...B...B...B...B...B...B...B...B...B...B...B...`.A...........................................................B...B...B...B...B.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-34SMA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	0.6322026813246273
Encrypted:	false
SSDEEP:	12:suE555L555L555L555L55r55r55r555r55r555r555r555r555r555r555r55r5I:suvzPFV5
MD5:	E91EE031E8A775B87A966821F46B8003
SHA1:	B093537BEB4335E306C870ECF6C8C1431279F262
SHA-256:	E01B114837D5A19D2AB3492279F6AA0EA6AB960C4FFEB8369BB1A85F18672337
SHA-512:	70D2E0F656E784A10505BF73568E9BA0329EF612512B62458F3C2A6A44B3E09DF0D18D8B481978C9974A54844C7E67B0D94A56FB0FBCA616A95F21D89F6882F0
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-3C4BQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.992992998632407
Encrypted:	false
SSDEEP:	48:LxwRTmmd4FjFuwKqDBF2fA+O4dwvcYhEEXB7/T/B/cfGt:LxtmiFjKuP+O4dw0Wx7/7qOt
MD5:	BCF4E26316979B5DA494DBEA2C92B1CB
SHA1:	080339DB0B56E86428295596CED9EEBF416D050C
SHA-256:	A34A7DB975EB4367B54DC7BB5BC49A6B12F12501C3BEE21D9C9093717C193999
SHA-512:	D52B6394C34929C4758F7F5C3D805EDE1BED09C47F80B23E4EDA8A8A81D12763014B999F95E9FBDAE41A1C26548718B86C90C02BB0C8714B21078330B12D2B8F
Malicious:	false
Preview:	...... .... .........(... ...@..... ......................................................................................................................................................................................................................................................................................................................................................h?!.h?..i@.jA.jA..jA..jA..jA..jA.jA.i@..h?.................................................................................h?...K...S...X..]...Z...S...M...K..\|E..uB..i@.................................................:.Jc:.J.:.J.:.J.:.J.:.J.:.J.:.J..i@..[..o..............z..j...M..oE..d>.............................................:.J.N.b.c.y.j.}.c.u.X.i.N.a.E.W.A.R..lC..g......................{...g.yoR..wU.wjK.ziG.,ju.,kv.fq.0t.................._...A.Q............y..i.y.c.t.n.a..uH..wM..u...............................j...........k.}.2..F...9 ...6...;...<..@@..IC.qK=.P.G.X..........{.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-7CVNC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	2.904108079904619
Encrypted:	false
SSDEEP:	48:F+E7L9sciO2jASO/R9Zo6bVUZ0SS/UHL4/h3A4+Brwc2Ni:F+qcjZE7ZL6ZTS/Ur+398rwHw
MD5:	B4C726712268AACA5C8044B19D242C56
SHA1:	82295BE76E35F3B7A017C71DF4AFB7BCB13B8BD9
SHA-256:	67360906D5C412946E6621E6952DCC72E260B4BDA6B1097FB89D0968746B557A
SHA-512:	255E561C23605247FCA1BB3F071CE4E87DA9F580C93F9CB87980F2680C106FEF6B91E478953C667E55AC0B9C4891FB0D6389671AD5C1AEF0DD820ABC032A7F62
Malicious:	false
Preview:	...... .... .........(... ...@..... ...... .............................(...........................................................................................................*...............M...................................................................................................................U.......$...........................................................................................................................-............................................................................................................................................................................................v.v.1.1........................................................................................................................................................................................................................................................................J.J...........................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-E7A5U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.056283894172477
Encrypted:	false
SSDEEP:	96:DZlab9wlipnz12qCLtZ7JgVksVScm8FPcTi:D3aJkipzZKtpJEkiBFEm
MD5:	F501D67C40B9B639411C99B14F60E14D
SHA1:	6F16B1384505A87848A6FB078FC3B62CC55BBF94
SHA-256:	4EC7F2AB9D5FD7E5F1622F007510B4F4D3C1C779E5CDB4B128E2D53A2E468A28
SHA-512:	775647B02208318CCAB7ED6873D9351ADD106D5EDF27857E73B215B18C04310693D210EB43415690D51191CDEF7F21AECED1B7FCF5A3AFB254698A9CF13AF3CF
Malicious:	false
Preview:	...... .... .........(... ...@..... ........................................................4...G...K...I...<...&...........................%...:...I...J...E...3...................................................7.'a..M...Z...i...e...N...C...#`....p...\...[...n..S..C...K...a...g...Z...M...,k....3.........................................R...............................e...,m..........+i..b...z...........................U...#Z..................................7.@....8....................Gp.VSY........................\co..Hz.............'...G........;.@.................................;. ....~...p...,....Sr.NAA........................................^US..S......[...A........@.0.....................................s.....8...02<.qdb....................................................../C..........~...........................................K...u.*'/.rdb..............................................................1E..y..P..............................................-.#.C67...........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-FV6S4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.548751958766154
Encrypted:	false
SSDEEP:	48:I36IcaNTUkY37c3Yd/oB3cEYp2LctCWZhlt9b7Q01iEtcm:I39NART/EshwaCOLfQmdth
MD5:	3FF113ABAD7A9C6F2AE88B1680E5DE0E
SHA1:	840BDB6139021E1FE655C240324A64481BB999FF
SHA-256:	57EEA00C948FF2F8EE9604160F4143891E5F5792765961408CE99E68CAB04BB6
SHA-512:	52B899DA820C3E3195799300122346B1A461B5139C213CEB8DED89734CDAD45878BE7E2B2F21AB5F9301CDABE6E2628571C9BB62923E318947FB41C0F2D78BF0
Malicious:	false
Preview:	...... .... .........(... ...@..... ..........................................................................................................................................................................................................................................................%...................................................................................................#...G...d...\|....962.:62.;73........]...6..."..."................................................................... .......5...n....gaZ..\|.......................g`Y....K...........................................................................R...vnhb............................................PKEV...................................................................T-+(......................................................................................................................F.+).....................r.~.`...N.bN.`N.X\..sm.v...............}..............................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-I3297.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.398174204777635
Encrypted:	false
SSDEEP:	48:Jast2MOHFY/G3BwkW6YvzQNUWRQi+EKbp2uDd4pWRwf2aGAXV:hwMOCGCvzCUW946dfMI
MD5:	E86E5DECCF75CD251149376B2882272B
SHA1:	B84C1608F2E77A4BB78D1523A679F9C74256D227
SHA-256:	228AB3BBAEEA67B9B701E5F034C05E00B61739F4BB8B9256E8FA6E4AE40C74BF
SHA-512:	784EB5883876810C15637C541EB036E87F0964F8A4B39CB7303B3C84EF8FC59425F7528890114B3381EEF021E992CD485A97EB4C58C5B8F5389F3114D6816C63
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................224.02;.15E614E:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:15E903?/01...................................=...H...u.......z...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x.......{...U...%>..B...........................c..%...)...+...)...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(......*...'....u...&E......................B~.'...5...?..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A...@...9...+....b.......................z..;..$D..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..$D...?...(....0F...............'....#E..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..$D...:....Ed...............+.:..#E..#D..#D..#D..#D..#D..#D.."D

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-I5845.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.3625361404350915
Encrypted:	false
SSDEEP:	48:Og3bVNe49Z9LhdznJkyBVLBBHb31UOOrO2SB2NNg1F0U:53FLhBeyBlBB73134NNCWU
MD5:	E1286437AA2367AE05B567CA07F7AE38
SHA1:	A258C5400BBC5E28476805B4EBA278BA6D128432
SHA-256:	A886A335B7FC0A8EB88120FDF43E31AC349553D3DF1D3A911E3D2DF8A530BAAD
SHA-512:	E7477879F63A77A50B11D1CFFEC5ECF911A2906568FDFD1912031FAC0C2180834F5540F6EB190C43C0DA6CA52C51FF0C714C08F32C5ADF52C1FCA15EB2804595
Malicious:	false
Preview:	...... .... .........(... ...@..... .................................................................................................................................................................................................................X<.!~V.3.W.3Z=.!................................................................................................pM.!.n.{.u..z..~...~...~...~...{..u..o.}sO.%........................................................................\|U.#.t...~...........................................~...t..~W.'.............................................................m.k.~.........................................................~...n.o.....................................................u...........................................................................v..1!...........................................x...........................................~.......................................y.......................................u.u......................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-JJI58.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.015933025401917
Encrypted:	false
SSDEEP:	48:jlLTFwirlRR25mD7NHgf/nrqQ6kcwpgHBWgOXKpAsDn5DnO9eXVP:ZLTFwirlRRymnN0/rqpkcwaDOXZsxqYZ
MD5:	B5DECCE572BF993C4F6CD6BD108DF2C3
SHA1:	21C33E841AF7DE3AF8868EAFF54EDB1492AEBEA4
SHA-256:	42A521BC3EF75526B3A1839DA875A949B369C6A00F2EAA43C8BECBB3E8279555
SHA-512:	EEE0D7F592836DFCEB0D50E2695DF6ACF336211E3C83C9DF8B49325BD03E2B3E5BD39DC8CAE3193A32D953CAA79543F8D356930CC6C6769A861EDA8F31E04D6A
Malicious:	false
Preview:	...... .... .........(... ...@..... .................................................................................................................................................................F.>.C.;.C.<.C.<.C.;.B.<wC.=.............U.@.B.<UD.<\|C.<.C.<.B.<.D.=.C.<nG.@$....................................................U.U.B.=.B.;.B.;.B.;.B.;.B.;.B.<.B.=hB.<.C.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.<.D.=mf.f.................................................C.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.C.<.C.=P................................................B.;.B.;.B.;.B.;.B.;.B.;.B.;.T.N..........................O.H.B.;.B.;.B.;.B.;.C.;.............................................C.?AB.;.B.;.B.;.B.;.[.U........................................B.;.B.;.B.;.B.;.B.;.C.;.........................................C.;EB.;.B.;.B.;..............................................B.;.B.;.B.;.B.;.B.;.B.;.C.;.................................F.F.C.;.B.;.B.;..........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-JOKOG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.505932325468453
Encrypted:	false
SSDEEP:	48:6x5Iin1G7yKJ1Gs3UNIAB09uq8eq+xn704qtiCA2Kn5t7eUO:6fIinYy7sCIASsq8jKqBA2K5Ber
MD5:	A9756849B11E570FCB8F845201B4A435
SHA1:	6A6085576DD2B871485296BF2EAA1A4E02EF9C81
SHA-256:	4CDD2B35CB1CA9E330D06E184FDA8FA664DD59C7428F67DE9986E77087DEFB5B
SHA-512:	47D16D4EA54B20F7124BDD64B2377D1D00AEECC228EDBCD77A754EDA9D9F977180A2E6E906A0527C9D05EE2C9BEFD52045E7D42B93E69C6E94F9FA73195BDE22
Malicious:	false
Preview:	...... .... .........(... ...@..... .............................................................................................................................................................................................................................................................................................................................................................._..._.P.a..a.._.P._..................................................................................................._...r.)...?...N...R...G...0....w.._......................................................................................._...\|..2...E...:...,...-...>...O...@..."...._...................................................................................m.*...<...'...+H..@>..MO..:G..'t..G...:....y.............................................................................._.@ ...6...-...$)..'"..41..<9..0,..&"..'g..?...(...._.@.........................................................B...F

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-MAUC1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	6.123671236740637
Encrypted:	false
SSDEEP:	96:M6HyDOdzc8+Efv02qJgthMtLdhItbSCIYU2P8x4He:YDOd4QH02qJlZdhUzIY0e+
MD5:	9D963AAEF1A316841C2C34AE32CDEDB3
SHA1:	A73386D3ABE3824621B72143E0402BC1388CE700
SHA-256:	9DD59EBDBAA0D4CB4A4422D597DB6C7EEC60624F042A273AB1C75AD785168945
SHA-512:	81757CF518EFB4CCB90BFE35383D39D16F5C9210BBA8EE2E58F62A4961591F4244D78C6702B1AD022E9205C7177976B2E8EDC8E8FA5C4BCD2BB6F95F504140B2
Malicious:	false
Preview:	...... .... .........(... ...@..... ................................................................h-L/./d5.,R/....t........................................................................................................3M3.).C...5.../...1.(.;..I-.................................................................................................3&.$.;.....................!.,.#-.........("&..-^0.,b1. &......................................................................6t8.............................%c$....));$...(...!...'.".8.)='................................................................&/.0..............................l..!.......................&.2....@............................................................,p(...............0...7...1......i..):#..........................&.s............................................................I#...........8.).M./.U./.P.).?. f.."[&...:.&.J.'.G...5..........".q.......9...M...<........................................... ..._.y....$.,.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-NFQD9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.099397362289201
Encrypted:	false
SSDEEP:	48:SB5/OEO7w9J5CJDojYDgyTAU8Nazp+1RmzzVzab20B+H7YBkLviAhJySdzMVn9f:UGniUvXAdNGtzzu8ALAmS0
MD5:	3236B7EE04864A464C4269EA6772C06B
SHA1:	C32DAC3F987C391FAEEFB48184431669F6C2D961
SHA-256:	641DB9FED269716510F749F98430FBB3563A0DDE013354CA2ECCC572E95EAF84
SHA-512:	F311E36B92F5905B15E9738FE431C287253A2DDD05D5EBA758DCCD7257884D3A7990DCB6A77401C25122EAC419F68F543ACDA12BB3AABA0C790155EE84544702
Malicious:	false
Preview:	...... .... .........(... ...@..... ....................................................................`.........................................................................................................................j.........`.....................................................................................................................Uw..k.........`.................................................................................................................Vw..Wx..w.........@...@...@...@...@.............................................................................................Vx..Wx..Xz..............................................@....................................................... .............Wy..Xy..Xz..X{........................................................ .......................................`.................Wy..Xz..X{..Y{..Z\|..d...Z~..[~..z.........................................P...............................`...............b...Wz..X

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-NVGKS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.865260776041573
Encrypted:	false
SSDEEP:	96:KSAuCHoaNkcD71rTr/JXTL2oOJu2u/V8o52K:KJuCHHN/rTMoOJun/VJUK
MD5:	340BD449C16ECBF1A7BC30C7B3AED555
SHA1:	D4464A700F4A7C6CDA68BE19AE90B0526D980B33
SHA-256:	01F8E1E82FDA69928E9EDA19DE2D775F4194CB8ADC081753C426456BFE2619F6
SHA-512:	16807B0C2B16547397D717DDA738B69122F2C3DC6CF2DE988F8675D4F2E0B5C9592D350FF6F408F012FCB4B3822FDB5ED6CA887D311DDAED090193AFAF0826B1
Malicious:	false
Preview:	...... .... .........(... ...@..... ............................................................................................3...@...-......@...&.......................................................................................................(+...[(..m7..D...G...a1..>......<.......................................................................................'...7...D...E3...L ..V7.f)..X....>".s5.. ..z...................................................................)...0...9...A...I...O...R...S...P..zB...n8&.c(..P...{9!.t1..4...................................................... ...E'......\...D...P...V...Y...Z...[...`...g...i!...E...v:+.T...L...p/".^...8...A..4........................................)..tI..........=...@...P...T...Y...c...j....&&0.<>J.div.....j<5.j(..C...M...Y...E...A...}..=................................=...Q...8......g...Q.......c...V...v((1.?@L.hny...............n\b.a"..O...;...H...t5..c+..L...z..$........................J..\|R...4...0.......).....

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-OB5TQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.327550606417895
Encrypted:	false
SSDEEP:	48:7ok26VKvsyK8gww8d6IrU866xoQ6iekgM7F5F616mlunzNa:7hNqsyw8NxogekgS/01l2zQ
MD5:	B1B0BDF79925656C6612EB420EFDD0CB
SHA1:	67A7A212310C229BD3753F937FE769392719BA85
SHA-256:	02FDCF85764302068222786937E5769650543F7B19B06208B65CE325792E7282
SHA-512:	700EDB186443417B8B5C2FFF44AC0CA4F40492F08789A4C44818F8255E4C5082AB7388AFBEE9DBE86C3979D15FF92F6CF33ED787694470AF7B88B86BD180F01D
Malicious:	false
Preview:	...... .... .........(... ...@..... ........................................................................................................................................................................................................................................................................................................................................!...!........................................................................................................141.........! !.!$!Z...1...1...)...!............................................................................................RQR9....101.Z]Z.........)()s...J...9...)...!........................................................................................BEBZ............sqs.....! !....Z...J...9...).......................................................................................)141.),).............),)........s...R...B...1...!...........................................................................!...1...J..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-RAS3U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.07531325717377
Encrypted:	false
SSDEEP:	48:n2to4hDDD+l6ZtQE1mA/+PWLlClkKAUqjcVGTJUysHFa/IJu:2tthDDal6LL+PWQSB6sTqysHFaQJu
MD5:	D0D41AD531613F51005CFDD6E7AFC134
SHA1:	828A3A01B74603403798155326286743F5E4000C
SHA-256:	0E43F7B2B24A035112F9FACD840EF0856F68260BA890CA1EDD7FF7B4A1DD3036
SHA-512:	3471310FDE5E1341FD75B69C5271B15B385885E90A277E90F989D75638CCCA63E1E04BF4574E2610B24AC16BD0C04113EFC15E5B2A25EBC94191845BD03E8F44
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................RRR.VWW.}...ccd.ccd.~...dee.-...............................................................................................qrr.))).....................................................................................................................PRR.]__.'''.9;:.?CA.<>=.<?=.@CA.011....%uxx.............................................................................................wxw.........................NOO.................TTT.BBB.;;;.........................................JJJ.HHH.OOO=eee.TSS.ZYY+433.........`.y.E.e.F.f.Y.v.................bbb.[[Z....O.......................................................................2...........0...%...'...+...........2...4........XXX.....xxx.............................................................lll....F........1...7...8...............Y............ppp.....ccc.........................\\\.ttt.nnn.non.ddc.rrr...............

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-UN49E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.980115331909525
Encrypted:	false
SSDEEP:	48:zCCCPJgo7qkfGEEEEEEEEEE1vt9COYNybhh3cGcm:O1So7qkf8zyNw33P
MD5:	6447AACD6C19A9D3F0CDB2322620997A
SHA1:	DECED599496691BB5403D8CAA063227181400DED
SHA-256:	B5D3DDED1F4C3F75C033E19008119BC8E283DE10BBBCE39488854028C54511ED
SHA-512:	91942D1C960B176BCA722CB5AF08B38A0072B789EC9E8B75236662BD69418251FBC1A30A41FD1FE0264CA34934608989AD441E728972F1E389CDB3E30F9336FF
Malicious:	false
Preview:	...... .... .........(... ...@..... .................................................................................................................................................................................................................................................................................................................................................../..?..?../............................o...................................................................................................................?.............................................................................................................?......................................o...........................................................................................................................................................................o........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\is-D7G9P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	683
Entropy (8bit):	5.044623021418303
Encrypted:	false
SSDEEP:	12:0O8xWSwt90CBDgfhkZJ602QWTlu/nyeX+L4m13Fx1kJ3J14g/1WWdS1weLjn7B21:0O8xWSM90EeG3GjTA/nyeX+MmZFxCqSz
MD5:	2AF8A7F7B2C4C7F18069E445DD927C6F
SHA1:	3CF8123F77557EBA8550888B972BB1244E7185A1
SHA-256:	9A8C7E3174434930075FF024E23316984B666C8D8C6692B12245BBC22B9DED88
SHA-512:	5DA67F67420DE60CAB80E2BE3E849B95E481EB2359B0A045854081D1DBC9CE744F2E2893A17C15BC63846FD49048D60CC3BAE364C8E08B6BD70017171D8212FC
Malicious:	false
Preview:	[Skype]..ID="skype.exe"..NodeID=41..[ICQ]..ID="icq.exe"..NodeID=39..[Google Talk]..ID="googletalk.exe"..NodeID=38..[Yahoo! Messenger]..ID="YahooMessenger.exe"..NodeID=40..[AIM]..ID="aim.exe"..NodeID=37..[Trillian]..ID="trillian.exe"..NodeID=42..[Windows Live Messenger]..ID="msnmsgr.exe"..NodeID=43..[Tencent QQ]..ID="QQ.exe"..NodeID=44..[QIP]..ID="qip.exe"..NodeID=45..; 47 48 - mobile..[Viber]..ID="viber.exe"..NodeID=50..[WhatsApp]..ID="whatsapp.exe"..NodeID=51..[Telegram]..ID="telegram.exe"..NodeID=52..[Mail Agent]..ID="magent.exe"..NodeID=53..[Line]..ID="line.exe"..NodeID=58..[Mozilla Thunderbird]..ID="thunderbird.exe"..NodeID=66..[Opera Mail]..ID="operamail.exe"..NodeID=67

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\is-UV691.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.6080756717696785
Encrypted:	false
SSDEEP:	3:yqysmslLEJEEsoAR5kmi8LBJqMxWAixOF:PmslLEJEEs1DqMVSOF
MD5:	13F5FF288606E078AC9039B6B38A1E2C
SHA1:	1C70F719594C4D5186B79862AC8903C849DA1537
SHA-256:	9C6E2764789D6138A98A91FB3081049C3558F08BBBAE6E05814EDBA25C49C45E
SHA-512:	C01F3AB6FD1C1050DCE9EC8CBE37FEDD0EF1CF77268C9F7849C573CFF438509DEEA294672BF2ED4E84C85DCCC27C28AC59484FAE9C984BA20EBC3FCD072AFD76
Malicious:	false
Preview:	Skype..ICQ..Google Talk..Yahoo! Messenger..AIM..Trillian..Windows Live Messenger..Tencent QQ

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\ru\is-6KMM4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.3735572622751846
Encrypted:	false
SSDEEP:	3:yqysm6Un:Pm6U
MD5:	27F304A88B022056B9782E0028658121
SHA1:	910B0D7556D4C187815C7E92C2556A1FB8DC08F3
SHA-256:	A43CAB140F23A03830F146E72920D8CC7C9FA6692B01483947D8919BD63F3625
SHA-512:	F9F5330459D9E8448967574E47995C0774727EBE6C82C7D3C8F577864A98694A90EB99BE8AE06F6BBC08FB08750BCF93B3A23B0A3EDEAEA004FCCFDE6DDD6379
Malicious:	false
Preview:	Skype..ICQ..QIP

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\zh\is-RQO1I.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.150292659616668
Encrypted:	false
SSDEEP:	3:yqyxATSfR6lLEJO:XblLEJO
MD5:	A81D187F7CF46F4FC7336B86CBAEC37F
SHA1:	7B0E93E0B0E167997960C23CCA5A75B051EB30E9
SHA-256:	1231CA0960A50BFE65D8931A816737054757963C4C7CDE91B696E4C171B5D609
SHA-512:	7F1A558A3F19C29093245687B1DE5A20CF63C6134DAFDF8EA9F64D7116B7F83B2996EF26AF6118AC8003DA954A5B1A99262D1F7D7062FC399302508487C31ACC
Malicious:	false
Preview:	Skype..Tencent QQ..ICQ..Google Talk

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\is-K3KTO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 210 x 336, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	19730
Entropy (8bit):	7.966645049778982
Encrypted:	false
SSDEEP:	384:qJXE056Cv0Ek+u9AOgo8KWTVQSSKOhFjVdQO0MUCguUfrDlk0m0pe:q35fv0fjyKQQT4MyxrZwIe
MD5:	31EC3A003CF3D2C1CDE419B2770AE700
SHA1:	02927572E6B55561B729E37406C197BC782A5B08
SHA-256:	F9050D57ED7DDF92CD1B92505BEB33A606EA90682AE918DF2464C0F4ECC8CBEA
SHA-512:	646C7DEF65B4921CE55246D408348E10628B55FB4D5F920EE69CEC88F3F3C38BB1157C749CA4F0B13710AA431DFA4229E4D67380AF0A0FBF78A9958ACB739464
Malicious:	false
Preview:	.PNG........IHDR.......P...... %....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\is-LBPNQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 1122 x 60, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	36574
Entropy (8bit):	7.983280552060311
Encrypted:	false
SSDEEP:	768:3WN9F6pKVwko1aCYqIfw7dVCOyauFqRZd96/UCfD0J1RGz3/:3WDwc6kHYI47wqRzc/bfDG1RGj/
MD5:	6013CCDC5004442BD8EB1EAEE1A2FDFE
SHA1:	7447A346E5E2002E4EF6C56E149EB140ECC5F192
SHA-256:	065857BDAEC7F2E73BA3F7B81D627B94794B67E35D62168F439200FC840412A5
SHA-512:	2047C8F6BAFCC06124A2BD3776475B89C2470090DEB186AF88787E0AFA2DDC0462C70FEBF58ECED3F192E5DC918BE37F4A17EAAA63D337C8A176099F818F9A25
Malicious:	false
Preview:	.PNG........IHDR...b...<.....-.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:557A66613F9D11E2B86C971723AA9104" xmpMM:DocumentID="xmp.did:557A66623F9D11E2B86C971723AA9104"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:557A665F3F9D11E2B86C971723AA9104" stRef:documentID="xmp.did:557A66603F9D11E2B86C971723AA9104"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>-2.....RIDATx..].x...~.eM...^....$.@.e.({..B...Z...~J[Z.-PJ[.t0...E.3.;v......=.c;.-[..$.........s.......'...7.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-11HCR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	5507
Entropy (8bit):	7.929272432606936
Encrypted:	false
SSDEEP:	96:LSDZ/I09Da01l+gmkyTt6Hk8nTlzb1sV3wLir9SfPUZ+IK0UAPcWNSB:LSDS0tKg9E05TBbUA+9CGK0xy
MD5:	581AD143944C6620786FE8E8FC09EE1D
SHA1:	E933A895E544CC90F45F3F93E0F28545A780CCBC
SHA-256:	1855774FD5C9C275F57970DDAD469EB71B9841D8C3440128F9351C960A8F0B4E
SHA-512:	072AB07C04E55FE3D1033FFB491EB6F180E40E8691003E46A9EB6CB37857423A2C4704C8683C4DEDFC89D79AB5BE61D2BAA8069245861EBD4865B1C67EBF42E8
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-29SJF.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	6513
Entropy (8bit):	7.938370771306964
Encrypted:	false
SSDEEP:	96:LSDZ/I09Da01l+gmkyTt6Hk8nTQ27DriW08tOW633IfYjzfxKoKg49BM+Uf9C4jc:LSDS0tKg9E05TQ2jX08MQgHx6Sxm3Cg7
MD5:	538614FCC5E9A342D74CFB01246E3755
SHA1:	3496DD97D840823F928213E7E69BB8386EA057DC
SHA-256:	3524B51003AC153E7A40775C3955AA8E3F60AE99F99E514DB60A4BED628C16BC
SHA-512:	A2689D78B11B7C48BABAD5FC97672F6173DFF0DF3C082F6403581FFA45AE7E123BAA93B46DC3495CAD42328959E0EEBA68C70F35E371D175A5E406A9BAFED576
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-FRKUA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	5798
Entropy (8bit):	7.935696994639288
Encrypted:	false
SSDEEP:	96:LSDZ/I09Da01l+gmkyTt6Hk8nT4+KjhO/UW3j12FlHdjuxgXZLqKhiz:LSDS0tKg9E05TEjE8aoxdqqXZdEz
MD5:	5503FA64C9D05F3025834D93A81AF764
SHA1:	CD2ABB0DD317BAAB5ED12488B7EF0EB76795F95D
SHA-256:	F4EE63F12CE2753CF71A160F5D7772E998CF5B6DBD4BB27502AE43789D9DA822
SHA-512:	AB205307CEA14D14FA7CCE024244FCF5AAE6DA6F7825058A3061CB88DCDE2579DBB6670516559792B631B2A39E756BF4E81ED63C16C205AFDEFCFCBD42F07245
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-GOFQA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 66 x 67, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	7889
Entropy (8bit):	7.956855049886426
Encrypted:	false
SSDEEP:	192:fSDS0tKg9E05TVL0ZW4wNoOfMK98rfXQoEad7vgE:KJXE05105wNl9iPQs7v/
MD5:	5F738BDCCB17BABFD837386300BEF102
SHA1:	41F26EC0399CE58E1550A34C967A876A5F2FC8FB
SHA-256:	07C6155BB34D9BEBF03ECAAD535709B444D156A375F42FED15B26F6414FF63D3
SHA-512:	672E9D39AC2538D2F5CD082BD364E5C554AB0FE0A05A2BBFD4172ABDAA36AB1BCD86CCAACBBE333B85AD3905E25B5E0F0D8355E6290E8340BBE0165FC94C5E57
Malicious:	false
Preview:	.PNG........IHDR...B...C....._.......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-NJN1S.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 346 x 54, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	20030
Entropy (8bit):	7.985863672702684
Encrypted:	false
SSDEEP:	384:KJXE050lAI9uOflF5XFBw+q7hYwPXsUoRGf0wp4vF:K350f95fl1uD7/XuC4vF
MD5:	E01B942B6936DF2AF64EE809086A5334
SHA1:	6601FE8901F8F131CF47352896B01C8DCFD4C963
SHA-256:	E5FEAB5FF923032A51C09F3D61DB2C4AE052CEA6691F034F397207EACC3C2283
SHA-512:	8B21E8B99218F8A0646A418BF3B184A7F8BA1A8061A60383E1EF0BECF85CD07DD68478AD8225A17ED1458DCCC49585B77FF77407F016D95FE57FAD3E8C305BE9
Malicious:	false
Preview:	.PNG........IHDR...Z...6.......au....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-NP20P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	6329
Entropy (8bit):	7.947037633028336
Encrypted:	false
SSDEEP:	192:LSDS0tKg9E05T58Vi5CX4vwjS9b+2xv+RfO17:+JXE05GIg4ojub+2xvt7
MD5:	03AF571726FE2C2A27BFACE13DE342A6
SHA1:	A350EC8147AE0AD79E8155E7FF62772C9A0AB339
SHA-256:	93C34A8EB0A686EDD27DCEFDAD5AFDDB2005FE27E09EE9880475E35F09A68BCA
SHA-512:	29B0DD9B86A559710262CEA72EF08DDDB9B91621C1BFC21A8E2B5EDDEE7D0EBC73A778B2AF1198903F5EC3EC59891E3EA0B991D3D48FD49938FA047706ABEBBB
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-QCJ49.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 122 x 295, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	29784
Entropy (8bit):	7.980725536896858
Encrypted:	false
SSDEEP:	384:RJXE05H3FyEuuqIMky+JU2JzDvj4Ygzc+Cv23bS5PdnFKo79yBbKafVLgkjPSTjG:z35I4qWNJVzAYkl3G51odZfmjymQ7l
MD5:	4C0A6A977EB10BA6ACB252E1C29141F7
SHA1:	3F5E32E79A7D3DB63C8D0BFF06CE43DF0EC6092F
SHA-256:	91853EDF8E536457D93044FCAA5412807368B6B6C88366E05738F3C8A4D031BC
SHA-512:	6C016AABA1B638EC8B2D22CE0AC4B23F662F9D2A372CA016ED5CFDDD72FAAD1A876600E78EEAB27DDE1FAAB47A43AE7CE805B33C43218240BAAC006DA74E569B
Malicious:	false
Preview:	.PNG........IHDR...z...'......9g.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-QS9UL.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	5873
Entropy (8bit):	7.9422746739510455
Encrypted:	false
SSDEEP:	96:LSDZ/I09Da01l+gmkyTt6Hk8nTbCCivsM0hVEz9EEWJcLWmu9H3s5cVQOVplQG:LSDS0tKg9E05TdMiEz9IJcVOVQG
MD5:	08696DFA1637279FCD315A0D2B13EA6E
SHA1:	9579D2CC5852F05288E2205F060F6C18F5619C39
SHA-256:	7C9CBFC634C58F761DFE138DD770C533B5DDDCF222FDE0B3BACFBB76F9A4CD9F
SHA-512:	F38BDF328BE3A4D7003A9216BDF2A9FAD1E53B130DAE37CA2BFC2CA36A497392A03950B137A1363AA25523068A38C87D6B19D5EFFAF0D5E421CE346140B9B444
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\is-QOTF2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	12965
Entropy (8bit):	4.7252821159716
Encrypted:	false
SSDEEP:	384:fosFgDIOR12U81EfXbWtk4VAwvZRlppVLMQ:fos4II2U81EfLWtk4VAwvNpUQ
MD5:	5EC6E79E4BA242B21EBD31F4EF89BEB8
SHA1:	7D0202CC4739CFA0C8459E9347260F8F44DD72BF
SHA-256:	1B7D810D6F1338C3D06A01E067E0F933319048A03CCA73DBEA955400216448A3
SHA-512:	A4426BE8C9850D699EB3674B5A6C78E0E7666DB8BCC44D89FBA7D8D3158DE4E55548628318D13B35D7F8333C3237F1971750F46897448538F8AC7EDD4EFA985B
Malicious:	false
Preview:	<!DOCTYPE html>..<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<link rel="stylesheet" type="text/css" href="mSpy/widgets.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/jquery-ui-1.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/reset.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/main.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/anythingslider.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/jquery.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/core-ui-select.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/jquery_002.css" media="all">..</head>..<body>.. <div class="std"><div class="wrapper">.. <div class="contentZone buyNowSection">.. <div class="product_page_wrap">.. <div class="product_page_top">..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-0852N.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 52 x 44, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	5834
Entropy (8bit):	7.9212427160575425
Encrypted:	false
SSDEEP:	96:PSDZ/I09Da01l+gmkyTt6Hk8nTNNtt/qXgfUmbtKXla2oVvcdWYrIgvPUSxMl:PSDS0tKg9E05TNNtlfUmIXlaZVvcdzIr
MD5:	F3E723BB70B07629C0A18763CD74EBE3
SHA1:	0450CC4E9FEC6C3FD446E2B3D3E68D03D37933A8
SHA-256:	1216AF29845B020BD410C9A4B0B2B0C6B2D528D5C6DDDA7BBDA0A905B4DDC84D
SHA-512:	0E9B25744201D9C3DFE27BE2497A2B6B769846A77E3CEADAB0A6B916B0F342A8EFC13A0817036883D36E7461276004D3B57CE648B9C4C771656CE6FE8B9FB071
Malicious:	false
Preview:	.PNG........IHDR...4...,.....].......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-4IR4C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 122 x 295, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	29784
Entropy (8bit):	7.980725536896858
Encrypted:	false
SSDEEP:	384:RJXE05H3FyEuuqIMky+JU2JzDvj4Ygzc+Cv23bS5PdnFKo79yBbKafVLgkjPSTjG:z35I4qWNJVzAYkl3G51odZfmjymQ7l
MD5:	4C0A6A977EB10BA6ACB252E1C29141F7
SHA1:	3F5E32E79A7D3DB63C8D0BFF06CE43DF0EC6092F
SHA-256:	91853EDF8E536457D93044FCAA5412807368B6B6C88366E05738F3C8A4D031BC
SHA-512:	6C016AABA1B638EC8B2D22CE0AC4B23F662F9D2A372CA016ED5CFDDD72FAAD1A876600E78EEAB27DDE1FAAB47A43AE7CE805B33C43218240BAAC006DA74E569B
Malicious:	false
Preview:	.PNG........IHDR...z...'......9g.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-93I91.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	222581
Entropy (8bit):	5.08641292920484
Encrypted:	false
SSDEEP:	6144:nml2NjrkK/xiuWs5su3SIM9eCUQqWC5mK7C:nml2NjrkK/xDsu3DM9eCULWC5mK7C
MD5:	B278DC17F1D04A093886C43920057567
SHA1:	25B6F13A20A79632261A7117F55A3F6575EF1A38
SHA-256:	C4FF671620CD870A457D54F926592092B4323ADA8C085ED75CE3705F2DFA11EF
SHA-512:	BE7C6EA7174ED9F1DD6370B6E18C636C36228C75CD25BEA8E1FB87BEB337912F521AEE6F584A873A0C17DCA87A3E2EAE9F4C26A4F154B78E084AE8EB21E6C742
Malicious:	false
Preview:	@font-face {. font-family: 'TeXGyreHerosRegular';. src: url('../fonts/texgyreheros-regular-webfont.eot');. src: url('../fonts/texgyreheros-regular-webfont.eot?#iefix') format('embedded-opentype'),. url('../fonts/texgyreheros-regular-webfont.woff') format('woff'),. url('../fonts/texgyreheros-regular-webfont.ttf') format('truetype'),. url('../fonts/texgyreheros-regular-webfont.svg#TeXGyreHerosRegular') format('svg');. font-weight: normal;. font-style: normal;.}..@font-face {. font-family: 'TeXGyreHerosItalic';. src: url('../fonts/texgyreheros-italic-webfont.eot');. src: url('../fonts/texgyreheros-italic-webfont.eot?#iefix') format('embedded-opentype'),. url('../fonts/texgyreheros-italic-webfont.woff') format('woff'),. url('../fonts/texgyreheros-italic-webfont.ttf') format('truetype'),. url('../fonts/texgyreheros-italic-webfont.svg#TeXGyreHerosItalic') format('svg');. font-weight: normal;. font-style: normal;..}..@font-face {. font-family

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-9V1AM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 346 x 54, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	20030
Entropy (8bit):	7.985863672702684
Encrypted:	false
SSDEEP:	384:KJXE050lAI9uOflF5XFBw+q7hYwPXsUoRGf0wp4vF:K350f95fl1uD7/XuC4vF
MD5:	E01B942B6936DF2AF64EE809086A5334
SHA1:	6601FE8901F8F131CF47352896B01C8DCFD4C963
SHA-256:	E5FEAB5FF923032A51C09F3D61DB2C4AE052CEA6691F034F397207EACC3C2283
SHA-512:	8B21E8B99218F8A0646A418BF3B184A7F8BA1A8061A60383E1EF0BECF85CD07DD68478AD8225A17ED1458DCCC49585B77FF77407F016D95FE57FAD3E8C305BE9
Malicious:	false
Preview:	.PNG........IHDR...Z...6.......au....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-AE97G.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	9410
Entropy (8bit):	4.808156480467523
Encrypted:	false
SSDEEP:	192:8xTTXb1y2qsr2WlPFGU6NQ78CodleKl5DJ:8Rysr2UgnXeKl59
MD5:	8FE70C8D484CF5852239704F1A614273
SHA1:	F13788A7DDCD3EA44A34779803CC8D27EC5C3C13
SHA-256:	6D46AD7400BA5FE7CADB930AEDAF0A8FEAD8609A5E26DCD48B274E6AC146DD94
SHA-512:	754CCE55105E01CD9668E2570212140022BB52FDC0FD02C60C34C8B691BC45D7B2187FCBA95FB9FC196D6F438154A22DAD4AFC044A3A1FC80024725AFA3066A6
Malicious:	false
Preview:	./! normalize.css v1.0.1 \| MIT License \| git.io/normalize /../* ==========================================================================. HTML5 display definitions. ========================================================================== /../. * Corrects `block` display not defined in IE 6/7/8/9 and Firefox 3.. /..article,.aside,.details,.figcaption,.figure,.footer,.header,.hgroup,.nav,.section,.summary {. display: block;.}../. * Corrects `inline-block` display not defined in IE 6/7/8/9 and Firefox 3.. /..audio,.canvas,.video {. display: inline-block;. display: inline;. zoom: 1;.}../. * Prevents modern browsers from displaying `audio` without controls.. * Remove excess height in iOS 5 devices.. /..audio:not([controls]) {. display: none;. height: 0;.}../. * Addresses styling for `hidden` attribute not present in IE 7/8/9, Firefox 3,. * and Safari 4.. * Known issue: no IE 6 support.. /..[hidden] {. display: none;.}../ ===========================

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-BKJ08.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	4.942541983682357
Encrypted:	false
SSDEEP:	24:hwyUwTlgKWSv5JZ0rKvG45jdSYqE2JeXNDs6izDNHZzz:h7+KZxJqQAeXi6i3Vtz
MD5:	6C9118F4F853D7ABC63505FD692D75F3
SHA1:	76B3CE5EC7FBEC277BD5357E2BD6AD2C461D2AEB
SHA-256:	077AA5312F62AC255FAB801D71E08970BC70E2DB469292BD9622B80EA15281C8
SHA-512:	1B81E2879067223419D09B4C6DF8A90F1255CD707EBEF0C490701E4701B721A7D4AC65860EB04083B51EB2F4CDD02D53AE880D6CD5534FF2A53C4824BE5D9E78
Malicious:	false
Preview:	/*. Magento. . NOTICE OF LICENSE. . This source file is subject to the Academic Free License (AFL 3.0). * that is bundled with this package in the file LICENSE_AFL.txt.. * It is also available through the world-wide-web at this URL:. * http://opensource.org/licenses/afl-3.0.php. * If you did not receive a copy of the license and are unable to. * obtain it through the world-wide-web, please send an email. * to license@magentocommerce.com so we can send you a copy immediately.. . DISCLAIMER. . Do not edit or add to this file if you wish to upgrade Magento to newer. * versions in the future. If you wish to customize Magento for your. * needs please refer to http://www.magentocommerce.com for more information.. . @category design. * @package default_modern. * @copyright Copyright (c) 2012 Magento Inc. (http://www.magentocommerce.com). * @license http://opensource.org/licenses/afl-3.0.php Academic Free License (AFL 3.0). /. { background:none !important;

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-Q6H70.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	4266
Entropy (8bit):	4.888037026868242
Encrypted:	false
SSDEEP:	96:FL8hjXF4ZFQF9FN/bIbx/yG2aC98ZehV9KF5Kf5k8gItrGZWFXyLYPBYzzDGt50s:F4xCKHT/bIbty19ee79KF5K68gI/yLsT
MD5:	94AED20EA3D620951F905B410B0058B2
SHA1:	0D4EA80D39F277A92FD4946CFB60EDFDEC72FADD
SHA-256:	4A2DE64E3701F68BE8FE448B569E3E2D36E54EA4AC59C25C91209F657ADD6C89
SHA-512:	FC5C107B7275A54966CC575EFAB496BF8D1BC3048D4ACD8916A62E0FE8B29AEDB4C44DE4513645CD4837ED58EBDF337BC3C9768E427B2DB3CF5D86CE07050649
Malicious:	false
Preview:	.b-core-ui-select { . margin:10px 0 0 0;. position: relative;. width: 86%;. padding: 6px 10px 6px 12px;. font-size: 12px;. line-height: 18px;. color: #333;. text-shadow: 0 1px 1px rgba(255, 255, 255, 0.75);. cursor: pointer;. background-color: #f3f3f3;. background-image: -ms-linear-gradient(top, #f3f3f3, #fff);. background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#f3f3f3), to(#fff));. background-image: -webkit-linear-gradient(top, #f3f3f3, #fff);. background-image: -o-linear-gradient(top, #f3f3f3, #fff);. background-image: linear-gradient(top, #f3f3f3, #fff);. background-image: -moz-linear-gradient(top, #f3f3f3, #fff);. background-repeat: repeat-x;. border: 1px solid #f1f1f1;. border-radius: 16px;. -webkit-box-shadow:inset 2px 2px 2px 0px rgba(0, 0, 0, 0.4);. box-shadow:inset 2px 2px 2px 0px rgba(0, 0, 0, 0.4);. -webkit-user-select: none;. -moz-user-select: none;. -ms-user-select: none;. -o-user-select:

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-QQDCV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	4357
Entropy (8bit):	5.086666572264107
Encrypted:	false
SSDEEP:	48:h7+KZxJqQACHvdNOHAQVVZoxkVSmoAVxrYFQAR8/cr0Rx//rxCP7Rit/i7ri:hiex4CvdK30WvBcAMm9jxCP1iJini
MD5:	1BC699D294BA8BD26942A616C3EA89BF
SHA1:	A9D12A169CB0280B92DE02AB8C6C7C8DC1C1B378
SHA-256:	F54611C97CE99395B222F18FAB12115EA88182BD5FA922B8942DC5E792184D91
SHA-512:	895F0F099AE6A4CDF35B076B84D353762555A74C1A0FCA45DE438E2FD8E0468484FA4480FB84F94AEC42F2FC4EA5939E2A3107B446656D1ABFEAFAE86DCAA2D2
Malicious:	false
Preview:	/*. Magento. . NOTICE OF LICENSE. . This source file is subject to the Academic Free License (AFL 3.0). * that is bundled with this package in the file LICENSE_AFL.txt.. * It is also available through the world-wide-web at this URL:. * http://opensource.org/licenses/afl-3.0.php. * If you did not receive a copy of the license and are unable to. * obtain it through the world-wide-web, please send an email. * to license@magentocommerce.com so we can send you a copy immediately.. . DISCLAIMER. . Do not edit or add to this file if you wish to upgrade Magento to newer. * versions in the future. If you wish to customize Magento for your. * needs please refer to http://www.magentocommerce.com for more information.. . @category design. * @package default_modern. * @copyright Copyright (c) 2012 Magento Inc. (http://www.magentocommerce.com). * @license http://opensource.org/licenses/afl-3.0.php Academic Free License (AFL 3.0). /../ Widgets =======================

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-R7SLK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 520 x 260, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	163954
Entropy (8bit):	7.997380423199459
Encrypted:	true
SSDEEP:	3072:TXsC50/yArWhc9OsI3zpKpMy4HqUmHtcg/osHXLYlYbxl9NimU:AC5gGgZOKpx4+H0lYbxrK
MD5:	22DCF2D7C51348D365D4C6DB11AAA615
SHA1:	8CFDAD2E3F5757438D9B6A7E42E2EFC1D0378ED4
SHA-256:	30F40B224D899FADEB89099E87B702FAF573914259A955BF3861F4E970C8D9D0
SHA-512:	5B22757CA8BEF67B89CF23ACC51BF6B35F21D203939FE2D6C6E0FC5FCF17BA5486A982BA58141E052DDA8D1D58374E68ED33A2E15F359306AAD433EED80C9B24
Malicious:	false
Preview:	.PNG........IHDR..............[.....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:C31305036C6011E28948F21434340203" xmpMM:DocumentID="xmp.did:C31305046C6011E28948F21434340203"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C31305016C6011E28948F21434340203" stRef:documentID="xmp.did:C31305026C6011E28948F21434340203"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...p..\|.IDATx..G.$Iz&.*tD.\|.tuOuO..g0..X.....H..F.......N{ .<.@..5#y......b...aX..@...iY.....;.../2#2.j15Hk..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-VE9US.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 80 x 80, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	19946
Entropy (8bit):	7.9802553970586985
Encrypted:	false
SSDEEP:	384:PJXE05NCJU1LcNVmza+d5HrM5NKtj7iYGVRMS+GE1aSjk6N86:N35NCJU1LTRrw0tC1VRGGMbv7
MD5:	67762894881BFB63FB6961C18CB31251
SHA1:	0A1E5D5BF083BF5AB745CEF7F2F7DEEA28FA70D4
SHA-256:	9652BA4942B40A66C17785230946AB83320878DA3432B64B5815BFBFF267E247
SHA-512:	549A137F2E628D4BEEF1259F836FCEA8DD8E0C095F43DC9E1196CEA410CB232A7A6D8AE43501FA3DE78F6E242F2A66405E9543CF2B803DD1A9FFF2868A7DD653
Malicious:	false
Preview:	.PNG........IHDR...P...P........;....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-VFFTA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	9084
Entropy (8bit):	5.065593140327065
Encrypted:	false
SSDEEP:	192:hHkh1vcghAgzaYToWEaRuBMYzwd8Hj5YuMe2Ec:qjkqAgZVSwdYw
MD5:	5F2BED4A85218C1C9C056201259D9477
SHA1:	352547773546BB1D33CB0C2384F7BD97B158C7C7
SHA-256:	FC4B85956CF6A007BEF8A531757A85F15C65937C717D6294B78D24688F36FF0F
SHA-512:	2D9E9A2B2B305B9178179D2A69322EABE394287F1C31A2D40B930C5A249433B1C646118D6EC67495926FE138306291A9C29F4F35004F18D9D5E1FB6267A20405
Malicious:	false
Preview:	/..AnythingSlider v1.8+ Default theme..By Chris Coyier: http://css-tricks.com..with major improvements by Doug Neiner: http://pixelgraphics.us/..based on work by Remy Sharp: http://jqueryfordesigners.com/./../***************************. SET DEFAULT DIMENSIONS HERE. **************************/./ change the ID & dimensions to match your slider /.#main_slider { ..width: 992px; ..height: 352px;..list-style: none;../ Prevent FOUC (see FAQ page) and keep things readable if javascript is disabled /..overflow-y: auto;..overflow-x: hidden;.}../.caption{..filter:alpha(opacity=0);..-moz-opacity: 0;..opacity: 0;.}/../***************. SET STYLING HERE. ***************. =================================. Default state (no keyboard focus). ==================================/./* Overall Wrapper /..anythingSlider-default {..margin: 0 auto;../ 45px right & left padding for the arrows, 28px @ bottom for navigation /..padding:0;.}./ slider window - top & bottom borders, default

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-0N1KC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.138741072579881
Encrypted:	false
SSDEEP:	24:+qqGcDzDzzrspvYD/teTclAZOPUzydT4l7Rx6IRzav29P9B66k:a/DzDPrsK/tegAZOPAku7H5zav2d9B6Z
MD5:	4BF5323641C8B9F667BE8A2530CB17C4
SHA1:	8824036ED659C4D0A23376329B397BB01632B9DB
SHA-256:	533DAA8DE562BB129564B41E2BBD734D74178E4CBB02B060A780A6C5DAE9D6B6
SHA-512:	E63C20BF94A9DE5D6344E56A3D6934B32D65D13201BA3326E70F1DC0AFA9475ED2BFA44EB829498AB80265DC1B3B5ADB0BE866F50F685276E5B1FD0E0AFF73FA
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................q...y...x...x...x...x...w...x...x...x...w...x...x...x...x...r...\|...s...s...s...s...s...s...r...s...t...s...s...s...s...s...{...~...v...v...w...w...v...v...v...u...u...v...v...v...w...v...\|.......z....P..........z.............z...z............P..z...........}....X..........}.............}...}............W..}............!..^..........."............."...!..........]...!...........'..e...........'.............'...'..........d...'......."...-..k...........,.............-...J..........h...,...!...%...2..q...........2..............................K...3...%...)...7..w...........8...........................6...8..........=...7...)...)...>...0......0...7...@...=...9...>...=.......2...C..[...........B...C...C...D...C...D...C...C...C...C...3...8...I..p...........I...I...J...I...J...J...J...I...J...J...6...;...O...L..`...R...O...N...N...N...O...O...O...O...N...O...:...=..U...T..U..U...T...T..U..U..T...

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-1AEF7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.462526568231166
Encrypted:	false
SSDEEP:	24:xDsK0GRS99Rss9RRgJw3Y8/atH9aVGS4pF8lY2GSVSSSSSaGR/X/f:lML9RYwottHQVGR8l9TVSSSSSaUvf
MD5:	EA31E69B4C099C0090A088937CE958D6
SHA1:	CC50F1927506BA8B94C17BFEBBA8D7B928C3A2E0
SHA-256:	3F5FDBA100DD35B0BB4DBBC216A6D0E555C11E3C4907871A1B641BAFCEF6AC99
SHA-512:	B3A62801B292D27F8614E8612399A13A1B66C15EE8ED7781A4DE87C05CE8530255A8F4BA993775810D8E4E1DA2647E58B57C3026BB0718294AA6E4C515E888D2
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................D...C...A...A...A...@...@...@...@...@...@...A...A...A...C...D...E../r...e...c...b...`...^...`...`...^..._...a...c...e../r...E...G...k...V...U...T...M...J...K...L...J...L...R...U...V...k...G...I...m...Y...Y...X..........@{...`...........m...Y...Y...m...I...K...q..._..._...^...e..................$r...]..._..._...q...K...M...v...c...c...a...Z...d..........9z...X...^...b...c...v...M...N..!{...g...g...d..s.......................(w...e...g..!{...N...R..$....l...m...k..........R...P...w............l...l..$....R...S..'....q...r...p..#z..`...........z...&{...{...r...q..'....S...U..,....v...v...r..Y........................q...t...v..,....U...W..1....z...z...w...........r...r..........?....y...z..1....W...Y..6....}...}...{...........p...m..........E....}...}..6....Y...[..;...............l.......................%...........;....[...^..A...#..."...#...$...y...............,...#..."...#...A....^...`..[...G...D...E...F...F...F...F...F...F.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-21JHN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-2T5B4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.836023872190528
Encrypted:	false
SSDEEP:	24:DNZdMMMMYVyz2pwij2kQauIG+wEvP3EkBChMc0kkkkke8x2R+Mxz6wwwwwwwwwwg:3qVyb0up+wEXvku8x2R+MlZwwwwwwwwh
MD5:	881D10F5781985AD7299364314CEB948
SHA1:	4F7B1A21207997EE749EABB0310E6AF507F7A502
SHA-256:	F7DD472A36C95EDC749DCAF7CCD44ADD8D3A9DE083101BDE1DD6994051374082
SHA-512:	476D739E9315B2087B0AE8DA53C8DFEB3747DE7C9548C25648B6254B7A91DCEAC10096DDC04175997D268A32612197BE07C685A4BB33643ED544FBCAC947DF88
Malicious:	false
Preview:	............ .h.......(....... ..... .........................q...q...q...q...q...q...q...q...q...q...q...q...q...q...q...q...n...n...n...z...................................z...n...n...n...j...j...................................................j...j...g...t.......x...g...g...g...g...g...g...g...g...x.......s...g...c...........c...c...c...h...........g...c...c...c...........c..._\|.........._\|.._\|.........................._\|.._\|.........._\|..\m..........\m..ar......z...\m..\m..{.......`r..\m..........\m..Y_..........Y_..........Y_..Y_..Y_..Y_..........Y_..........Y_..cV..........cV..........cV..cV..cV..cV..........cV..........cV..mN..........mN..rS.......n..mN..mN...o......rS..mN..........mN..xE..........xE..xE...m...................m..xE..xE..........xE...=..........=...=...=...C...n...n...C...=.......N..........=...4...F.......J...4...4...4...4...4...4...4...8...K.......E...4...,...,...l...................................k...,...,...............A.....................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-5C5TH.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.0034072391179
Encrypted:	false
SSDEEP:	24:3l4333333Ba333U7JDYF7336Ooi/F73afj/F72vcvtRaIDJluX5Ojk:VgWF+OZ/Fmj/Fgc6+uJOjk
MD5:	67B4BC8703A96A1CAB1B0AC8E37B26F8
SHA1:	363D0703311B99984E26F216A5205CD8D03E8389
SHA-256:	AE2369C58A93218087EB6B5535B1D2547F1FAE00DBC7303ACE8B3B1238BC7CB2
SHA-512:	0283160D49F3F7C17496B5476B2BF7689B3203E0E97CD36CA6EBE06A24D46A62F469C4F24E310220AA48D4FF7AD6D51A56621ED443AFAA50B7645B6688EBB33A
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................?_..MZ.L...I...P...P...P...P...P...P...P...P...P...P...H.8.H*?..LZ.MZ................................................./9../9..KX.MZ................................................/9...9..KX.MZ................................................/9...9..KX.MZ................................................/9...9..KX.MZ......................p\|..co..................../9...9..KX.MZ..................P`..MZ..MZ..P[................./9...9..KX.MZ..............MZ..Q^..........O[..MZ..lw......./9...9..KX.MZ......Vc..MZ..co..................en..MZ..S]..../9...9..KX.MZ..MZ..MZ................................MZ..MZ..>K../9..MZ.MZ..O_..........................................R`..MZ..LW.KY.JYc.................................................Zg..LY.S..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-5PQJ1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.7202656984010085
Encrypted:	false
SSDEEP:	12:JdJzibJG6NppClipAcGrwX6QG6tIR/8hINNIyJwy1I2Mleeyy7qVT:JdJz+BalipGZP6tIMINNIcV1I2Ml2y7a
MD5:	EBFC3AD0B132D550ADC92A0F42776D1F
SHA1:	335FFD8C4685F556F837F6E8D94D7058F4636023
SHA-256:	1F00E5AE25225136ED95AD24D70C691C4367843E52A3E6D961F4E2009DFEA934
SHA-512:	A834FD7402F572AB7D27A0547C4363A02C94DCD87E733AB7DA0CC1B25437657F8876F540EC06C544AFB6490449B6611311EE82C8F6E333771D7A00CD391D523D
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................D.?.C..B...@...?...>...=...;...:...9...8...8...8...8...8..8./.F..Q...])..d/..b/..f1.........................._,..N...B...8..G..._+..g1..e0..d/..g2..........................a...V'..M...8...H...i3..h2..f1..e0..h2..........................b...W'..V&..8...I...k4..i3..h2..f1..h2..........................c/..Y(..W'..8...K...k4..j4..i3..g2..i3........................b...Z)..X(..8...L...l5..k4..j4..i3..g2..s@..............q?..^,..[..Z)..9...M...l5..l5..k4..j3..h2..g2..i3..l5..l5..g2.._-..^,..\+..[..:...N...l5..l5..l5..k4..j3..j3..t..........t..f1.._,..^,..\+..;...P...}M..U..Y..b..^..P..................~O..j:..e5..a0..=...Q...l..i..e..b..^..g..................g..n>..j;..f6..>...R...l..i..e..b..^..P..................~O..p@..k;..h7..?...T...l..i..e..b..^..}M..Z.........Z..q?..qA..m<..g5..@...U...X..i..e..b..^..[..~O..wD..uB..wE..vF..sB..n=..a/..B...V...m:..V..S..~P..{M..yJ..wG..uE..rA..o

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-5U49R.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	706
Entropy (8bit):	7.638733880632528
Encrypted:	false
SSDEEP:	12:6v/7Uqs1+tuWPx3jbdb1W7vVeaQkcbxKOd1MB09EVxRXXstDRpROyXSF:3qs1vWPxTugaxcbxKwMB09EjUVOyg
MD5:	B9A06A13BF911BA4288024CB22CD4B8E
SHA1:	43D03CC1C89C311CD7E8F39D531341D71CEA5C98
SHA-256:	E37F73F2FC45067F9F946BA9AC18E6D5C87FFDFB096853667699EA5CA116871E
SHA-512:	417D7091DA9950B32A197599775BD72A9DD7A2D996F5F057B47D490A61AD70D697A3D2B293ECDDF0901D6EE482B86CBC04E808E08005550E7F0600AE5F1134A7
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.m.KLSQ...so.........ipC0F..$..h._....H...r.[.........+.....X.......)-..B.....C..t.............).x(....&,/..x..n.`.F.9.y.S..U..bq.....M.f.08}..G"Q.LGC...GQW..B...&.)H\|.c6.%DU...08..s.4.#..`..?..]....f. _..c.h.j{?..?q(0........}.h~'.........k..b.eZ.......f..KI0..+kz#..T/.....^.F.]..D`p....`........J8(..2.h]Z.d.j...4..`2.!..1.......KQ.......L..].K....Sq..(:.~CO.R...4:..s.y.<.\|Y..O.3..E]...'...e?.T?H@i.3..U.d,5.....8]..f...t.kh....T.....Xs.).....t.(.q.........0.....M...Y....[.O.Z...vkk......W$..2nl.......].OI..[........$g.2n\|.'X..G..]...V..+..#7.\|'."..K`jr..h.!...s..`_..Plvt....9..Zt.....D<...q6.8g.r.h..B.Y..]$.P.......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-5VJS8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-63GVG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	699
Entropy (8bit):	7.652754071132357
Encrypted:	false
SSDEEP:	12:6v/7WaWgISPVxzQYiM4U3qwAwJms1184FTquLwsObH6yk2CrJ61:rnuzKMf3pXmg/FDoZkd61
MD5:	6A1DE861212D48E1899DF21E458C1542
SHA1:	02A81BF8ADE97DAC769CD1DBA84A207431E077CF
SHA-256:	052EE2A81A293DC611CE88300798DBA2B2E7B0CD924C099CB9B6B8C3D4B354D1
SHA-512:	6EEC1E50166CBCB04C7A53AC7A94CC0133788FABC4E2B781F076B69DF3B906BDC07A4CB99CBF02F2E0B5F273DD3152DBDF2405BA78EDFD694034B7CA9545B458
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.e.Kh.Q...;.I&.T..M.v..q.(.}(b[......"...V.Rm.......BD..ji...m......TteC...M2y\.....y....g.a..'..+.~.10.q.._0._.Yy..m>.d-.(.V..d`".6........u.w..).....\|...$3Y.,;...%..H'.....iXWS.k.7!.....S"......ds.g..q`.{Tx....l..D.]/..AV..[....5\...T......r.Kh#W..B...pi...\.CS...2..W^..a..:...(.;B..t4....J*..W+\|.oc.7..B.%.........(.L...FDh.f.......EM.....8........+I.....C...n...._.?..../.....~t...q..6.....E.b..j...7#8M......p1.^.G.u.k.._.=E.cu.a.S7...E..[Q..h&.....E?.'0\..@....a.0."..M....m..c..........8.&.s.1.h .R.;.6..}w"8A.&......J..........`840w.#..3..X.V:y.>[.Y......J.3o..2Yn.5.esHC...;~.@.5.....K{.;`A.......".........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-707HS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	776
Entropy (8bit):	7.739847313028713
Encrypted:	false
SSDEEP:	12:6v/7A0VGIMaJnGINOCUG1s1tdXBlkgV3qICi6aw5FDk+RA1xuw/bK11x8GRtnY1V:5IzGGO60BC/P5iohugnYiLjU
MD5:	F7412F52AFCDBFAA2520A462C99468FC
SHA1:	DE1BAD996FACA409432C84C0EE0724827C00D072
SHA-256:	13F249E23B22582CFC057954C4A040EBA5733E3FEEA3FC3DAB0F9EF584DE89A8
SHA-512:	FA1205996FF98BCA175F38AB210AF47E56DF29E580D8FA16CA6C30C9BF324D53847335149DCDB874178F7642D49AD24DFEC0C67B32F831E6999B9050FB7ECE64
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.S{H.Q.=....)Y....\|4..CmeZZ*....!dQ..J..J..aI..... %.LILK..0....SI..H3\|l.}[[O.........K.K.....s."#.DB...a...t........hAb\..h4NG.....7j..W.z.fK.3R.....emD4c%...0.....7?a.9.GY..g.......x..<.c..3@....#.......>}....X...v.j.W.$(.....]..(.lF..A..G..m.oU.UW/r..p..1^t..pj4.Y..x...=G...X'[..-..j.NW>.Z.Gdn.E.[..&....'+...@.uk..........Oqd....~r.).G....1.W.L.........@..(..g..![....P..eI...(...(Y....:...h(J.......j.7.......D..M`.....Zd.6B$...rD...K..e2.\....I8..ao..h....Y.\|.&... .t@X...u/q.........T,M......Q.%.Vs...!."....rw.GYC.Z.9...a#....G.l51D^..i..... .J?W.hF.>0......(..m=Z.hG.5O...........=%.P.H..-C..P..?.=V.#..~........M....2..T.?..D....._$....qg]....@$...d4.....[j2.....AF%.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-7L6FS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	597
Entropy (8bit):	7.503484841838105
Encrypted:	false
SSDEEP:	12:6v/7w7/6TVuA6q45LsaGcUiSVgYtyHUzX8hXqY+sP5yuRGe0zwcu6S:X7/6xft45LqcUjGYUUzX8hXfPP0uiksS
MD5:	535102101CF2549EAAC03D4D2424C607
SHA1:	70BF44C6E737D6127182AB1D38840A448ED6A162
SHA-256:	2E520CE5AAAF8A0DC35E182FE8986438B8CAB107221304AB4C9EAA901E1956AE
SHA-512:	FA510429D278EDFC7576EC900B88A60D1E09B656CF558F16DBB1404137F372B89D67AD9B06EF6114D7353E4501486FEFD9284B888E53D29B8364604504C377D8
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....pHYs.................IDAT8..Mh.Q...{3.....&.1..Zqg.i.A%.`.\...F.(....(.....q.E.e.mA..Z.XK..6.L3..ys]....Wzv..s..........yj.&[..t....U.0....;.\|..[.....%..J.HbZ..T.......T.<BPJ..0p....1~[.OFgv...dLj..:D..'..Y...?t}ziMwx.@#..jj..S.c..<...o%s..M.tbI...........5...w.Q2i...i%./...\|..s...u.j&.............k..9..r,.....p..9qW..bRi..W....}DC....T..E<\|T0......0Ijx....\V.t...._..d.[....S.p(......>.....o.m...T[.pl[h..3.#..rE..v...wM..8[......h.,..G.~'...m?...5..V...e.b.=.7.!...D4....q)....%B.m?...o..#..9w1......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-7Q3HO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.943382230545427
Encrypted:	false
SSDEEP:	12:S4YaNZKzJLGaBGzrHyCX0n3Ols63OjokVhVZcR9dfw8skIL00006fDxzKapll1Km:1uzJJBGH+j5hS9VxAmpKuNNNNNNNNNZ
MD5:	C372CECACDD31BCFD147D55D146C2CD4
SHA1:	A0C7F66256023E4DA4697CE0D37D809D206CC85E
SHA-256:	508BD905BEA0E89DA025DECD1BFE5E4B31A1F003BC3F2B5C5567A2470A307820
SHA-512:	58287A1C0896ABA3F9712FCEA29C3DAF892AE9F485E4DDBA56A442F9B7B6F439D3375A0EB46209FF4E86720B0D5C706BC22F8C49165A34458CA0A4EE2BD94DE7
Malicious:	false
Preview:	............ .h.......(....... ..... ...........................Q...F...?...?...?...?...?...?...?...?...?...?...?...>...E...Q...H...i...............................................d...H...C...................E...3...3...3...3................C...E................3...3...3...3...3...3...3.............E...G.............F...3...3...3...3...3...3................H...I.............3...3...3................................J...K.............3...3...3................................L...N.............3...3...3...3...3...3...3................N...P.............3...3...3...3...3...3...3...3.............P...R..............3...3...3...3...3...3...3.................R...T..............3...3...3.................................U...V..............3...3...3.............................W...X.................3................................Y...[.....................................................\...g......................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-91PCT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	658
Entropy (8bit):	7.412255128365162
Encrypted:	false
SSDEEP:	12:6v/7wM6ZjAgxNF+Q7L4f031MIYJqGdhz90Iq7AGg71T+51fDPgME:XMOxbL4+S1nJ0xk71TYzgP
MD5:	79AEBF6646108C56AA59E1D27672A308
SHA1:	BAA186067518DFA1F18A2AFCB50AF03041E40AA4
SHA-256:	B64E7582BFD5CD8AAE7F9AB31B2B12AFF640857B6670873D94C15D0CE70533D9
SHA-512:	D41A2F5A204B43DADF5CC461EB1E713187B6AF616FF651A06299574C7BE1E8E9A634E9259C3B63594E627DE2FC8B5DE4CC02FD2DF5F51E924E74C74A7EAD515A
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS4.......tEXtCreation Time.12/12/08.Z......IDAT8...MkSQ...s.I./.ik...S..bA1[7n...H@...[...D.n.U..E.bAcH.$MC.....ZIc...8...w..U.=..UsbUU).;.F.+.R3....U.I%P4.E...V.......9rT.].X,V"n.\."&.3.2pn.R."...o...".L`.=..9>...-...w.y..\..#g.^...@..z..P...Z.D......D.ApA.*.........pD.:\|...&.x..p......5..R.w..x....SY.../.J&.I..H...'...X....=A.x..&...{....b.0.cEp..:............%..$&........g;f.P..6..t~.S.R.>...[6..s=x.u.r&.O...^..jJQDc0b..............'tc.ec8.#..z......>\..M..b.;.<%..4.0v....o..V/b...&g\|mo"..^...N..#.).#..fB....:..t......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-9LVJ0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-9N74M.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-9P8JN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-A1DBG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-A428I.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-AKT6D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-CKE1P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-DG4EN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-END4D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.463689107615048
Encrypted:	false
SSDEEP:	24:K/1fhCeNZn1dIxF327RYl2gZArfrReA/T3UqZzqi:K/9hCAZn3EGRYvZMrReA7UMzqi
MD5:	C4CE03C4D6D52FDA15ED85DD35661191
SHA1:	7FC5453E63A2B3C8F5CC17A1A5B9D40E3BBCAA89
SHA-256:	EA932489B1C366D47D33EF6FC4898A11E85C5EF5BA2982A21506FF49BD230B44
SHA-512:	2A332EE917FDCEE81C4F1E19F340498B37AA1B549A1E48E5C5207879F5A6EC1233052A606202CE254E629EE63676BDAA1438D4165D0BF48C3CB4BCC3A26BC907
Malicious:	false
Preview:	............ .h.......(....... ..... ................................................................................................................H.H.#.#............................................b...4...+...X...y...'.'.!.!................................T...H...9..........~...r.r.'.'................................]...T...E...6...'..............&.&................................^...U...C...h..........5.5.-.-.%.%..................."..;..{....................I.I.<.<.4.4.,.,.#.#...............+..>..8.....w.........Z.Z.M.M.C.C.;.;.2.2..*..............3..N..J..j............k.k.\.\.M.M.B.B.9.9.1.1.#.#..........I..w..........}..u.....w...n.n.`.`.Q.Q.F.F.9.9...<.........._.............o..[........L^..Ci..4b..&Q...,...............f.............~..k........jj..QQ..<<..++...................k................w.........ii..ZZ..EE..33..&&...............Z.........................rr..``..LL..;;...................r...X..`...............yy.II

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-EPE4E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-EUMAO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	639
Entropy (8bit):	7.377780326372934
Encrypted:	false
SSDEEP:	12:6v/7VDc+Qow9oS1rka1r1gslVtbq7eH8MycqGcjnM1eyYHhLpPiX:fLow9frbxG4qecMCBjnMsyYHiX
MD5:	532021B5830C2239DEE3E8FF33229A0B
SHA1:	4C2280EF8547087BE905669B6F49AEEA4C19E2F5
SHA-256:	AA747B612FBFAC5FAC5866F83687D3683402387436E528C80D6E3B7C48EE770A
SHA-512:	90D8345469986460A788254EDADCBFB13F5C0FFF81F8CD9707C86A47E1DBA426A6318E5BA52ACFC381F81DB59CF10B04A894EF7FC5CBC950CE5B59FD001C5F88
Malicious:	false
Preview:	.PNG........IHDR................a... cHRM..z%..............u0...`..:....o._.F....pHYs...........~.....tEXtSoftware.paint.net 4.0.6..c.....IDAT8O.SKH.Q...i..U...J..J.]......tS....E....]..BW...B...?(RE.D4.[.A. .Db2..../.....L..{....X..*...."."w9...e.;.FD.!.Z~8h.;fw.!..J....<1.5......n..L.... ..1.....U..o.........Q.....U.....G.Pg?...m....P[..[EdC..g\|.~#.p.T.s...o/q1Z..B3..`..........C.K..X....Ym........aF...^.P....L.M..p2...Z..k.g....I....7...IC..P...:.Af.. ...-.P....am.3....~.k}H-.!9^.D.......Y[...?....{.w0W.k...O?...y....P+.5'....!........r..8..\|.0N.....z7yD.X+.%..T....+..-..!-jG.o..kn.)61......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-G7P4O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-GKS39.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-GL9AA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	813
Entropy (8bit):	7.700988619334296
Encrypted:	false
SSDEEP:	24:2/3exgROSyP3NqUTxBlR8kEPzRspi/MKFhG1Bx:hQOZNVR8HVZkKDG1v
MD5:	6EC205B2369CA054BF85B085486CED9D
SHA1:	26C0B61289F804913164DDDAD8F905E12C8BD4A3
SHA-256:	7E436D02E18B665764D2F2C748068AC8069DB59BCDDA9983F09EA370D742474E
SHA-512:	A446CB697276D8AB014E0A38FFB0F6F31FC1BE4DD27A0A795829F4E844237243EE6B7A92A881841DA30F4E3E7A396E6065DAEB4C868CAD7EE195162CCDE0ADBA
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.m.[hTW...}f....8Ij.51!.TI.h.^PJ...........\|.O}RKQ..D.\|....,H.. -i....4...1..h&.....]{...v..........,.?.}.......2../...r...........zH% .Z.fA...%;>.. ..MT.+.....c....r....!......%pS.c.......k/..O...W.$Wm.].`.....N.g.......m...b.VTg#zY.j....4T..b.\|^..D7....'....\.z....J.j{(....F(.Y.3"..w`^....p.....j.:...........@;.z..UUB...O.E..6.7]..6..5,.J..Y2-...I.1(TJ..Tt...&.#.V..PH.\|.[...O....2.....[."+...2....8..K..=..;c4.....uRO[....a...........Z./.3........^{0%.$7\|..r7Np..\'.Hw....2..1..+(#.......e%B.saZ:...&s........D...g.3/ ...o........Q."....Bo:+.@.(_........^m"0..x../..../Q.....p.C............y;.'.M..f.y'Nb........B.\|...(..~e.5.....'..w...A...y.\|.....B.....z..=$.......$.k.C~...a..1.}...sNH.q;..Y..o...j.].'..~.)..H.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-GLRSJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	3.490442714261337
Encrypted:	false
SSDEEP:	24:hvTTTTTTTTTTTr6TTTTTTTTTTTTc2UTTATTTTTiTTFTTTTKTTTLTTUTTT5PTTVTp:NTTTTTTTTTTT2TTTTTTTTTTTTc2UTTAa
MD5:	3EFC7DC297E404B3905700EC7BAD9F52
SHA1:	51AA1918C57A97D0C0C60D7AE9C55356E6F6B8F9
SHA-256:	455B953BE12AFA28BF8823BBD0A8E2C1D7730878FBCBF7B1D3245D4FB5A09ACA
SHA-512:	29644DA8AB7596B0EF2849BF7BBED4B76478C38DCA6EE7E735D4CA9B4693F1978CF60A5909C8733A98CF5C14F088884FCFC0AED6C85C6109F7838729D18E98F9
Malicious:	false
Preview:	............ .h.......(....... ..... ................................................................................................................................................................B...{.....................................F.......d...........................................................d................................................................................................................................................................+,......................................................................$%..............................................................UU......................................................qq......................................................NO.........................................................................................................e...........................................................e.......G.......................................G..............................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-K1VL7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-KHHJ1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-L78IJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-M6ESF.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-NHF3N.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-O1HE1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.276060631735337
Encrypted:	false
SSDEEP:	24:MXjJ+Ja5yURg0WulL9rChz1XcXbQxX2rD4:kIJ4yURgLkprChzBcXbeXID4
MD5:	97B03F45DC3F2AA6B9908A842ED7A308
SHA1:	5C0489A30B7805DB94B9F60C53616A4CA8BCA5C4
SHA-256:	C08548C6A31E3C58F69B083ADAA3154C5957619E65F1FF910FDBB7F83B480183
SHA-512:	78130C2A02CF5E56103C42E3ADB35CA85DBB8A66259C895F7CEB987B1BC7B73932F54A2F28B4F065765C9B9264E088E57C5DEE70ABCC9B41D9DE6AEE90BE08A9
Malicious:	false
Preview:	............ .h.......(....... ..... .............................U="..b<.f>.f>.f>.f>.f>.f>.f>.f>.f>.f>.b<.U=".....W>"..wJ..tH..tH..tH..tH..tH..tH..tH..tH..tH..tH..tH..tH..wJ.W>"..g;.pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..g;.i<.mA..mA..l@..l?..l@..mA..mA..m@..l?..l@..mA..l@..l?..l?..i<.g9.j>..j=..\|].......l..i<..j>..sQ.......]..i<..._.......y..f7.e7.g:..d4..............a2..g:..x^.......t..g<..........rJ..e6.c4.c6..a8..............tM..c6..x].......o...........y..a3..c4.a2._1...n......\|c..........^0..x[.................[,..`2..a2._/.X'.........]/.........`2..~c...............w..Y*..]..._/.[+.f?.........tL...........j...u..................._..c7..[+.yR.............a...g.......................a...........d..yR.i........u...r...o..........~..........r..............j.z.........................................................z...............................................................p[..............................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-PFDOD.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	3.5696063839477725
Encrypted:	false
SSDEEP:	12:0onYbuFo5fA8aRoEttw4HX1Jur9OrnYGKBjD21cmex8ZJnISD:9loEttw8uWy9sYK
MD5:	4F38A1E43DE6E4F1BD4BDBCC55706408
SHA1:	BBBDFB099C1921BD944230FC37DC9963FD2EED81
SHA-256:	9CA3C995F7DB760EFF9ED69DFDBA578481CAB520D164F1B7A1201E1DFB7AAA66
SHA-512:	6840EAE20F876A5DE457AB3DC703E28D302FB640E641F9AC2117D8EF30DF447BCC265F3CDC68DA5EE21CF14AA0FFB7AD6873C041DF016DD536018E7BC9E59A90
Malicious:	false
Preview:	............ .h.......(....... ..... ........................................q...................................b.......................................!...............s...................................................................................................x...............................................................MJ...................g...8......................................*#...................................e..~........................................]......................"....................................S.......X...................... ....................................^...............................................i...........................K..........................?...n....................,......................y...J...........................J...................................................................................................................................4...........o..................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-PLC9P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1143
Entropy (8bit):	5.316029185743153
Encrypted:	false
SSDEEP:	12:6v/7u/BKpQr+mJEhtGXJoZ3ZbMzcLLUaMdEAfk8zKGPsl1:5Kpf3GXJoXMwL/MdEAfk87Ez
MD5:	6C2EE6F053AB95D2AA3924EE689E80B9
SHA1:	734FE9B1CAE77E70BE14D79B2A14B545AA249499
SHA-256:	FC44A14405F3747A5D87DD09CCABB3C0E312B5E127929C6E2CF5920F125F132A
SHA-512:	5BA51D89FD4BF61BE55AFC3210FB31ED7DAEA5C44D9829BF0CC48685EF283ADD50F53039748312CD57194085067D88BCD0B9FA0A58C462DA595E2BB54534FFF5
Malicious:	false
Preview:	.PNG........IHDR.............(-.S....sRGB.........gAMA......a.....PLTE.Nm.Ex.Sr._Y.Vc.m\.\|_.r`.ra.5..,..4..=..8.....C..N..E..F..J..K..A..k..n..o..m..m..n..l.....c.g.h.z.{.g..j.s.t.x..n..z..q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................./V.4....pHYs...........~.....tEXtSoftware.paint.net 4.1.6.N......IDAT(S]..;.Q....t..9&K.......R(.U(!DD....<.....y....eE......X.p.+4...f.k....n....E)e(.....%..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-PSGBH.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	485
Entropy (8bit):	7.183161975210355
Encrypted:	false
SSDEEP:	12:6v/7wM6ZjkLD81AWeAqr9XoQh35hBMjExRnj8OiD1i77sOw3N:XMfLDMe/4QFTyExl8Oihi8OIN
MD5:	E09587AD1847CF4E2AD03524A3C1CA7D
SHA1:	9564E6F66C74E3079F2DDA05A6A61742FB23683D
SHA-256:	603A9A84F0E095585BD39B27CD4C4D194A4A45C664373D636E493C2841084957
SHA-512:	5A00DB9331B1F1536C6152BF99F7245D159E46101122FA6827B0D5EF8D0377DB66DBB4CEAECA69F1AEC8FDDE51B506CB471B58A34E8A3DF09BAE0FC3F117CA2A
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS4.......tEXtCreation Time.12/12/08.Z.....=IDAT8....J.P....DJ.V.hK!b...E.;8..../. 8._.'p..!...I.v.EQi. ...CZ..%..-.s...~.....cr....!."TjR...RY04M....!...s..i....'.r.j...../.>......(.g.....=...2....>~...89.Eq.....?.\.Z......C...cE...\|.I.X.....(I...W.a..zj...O.:.?.........,.....PK...c...Y..5...B..k........jlmn@..S...qe]...z..p.1..\.E..\|...d{{.......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-R0DSA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-R4SEP.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-R6F3P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.78558880583897
Encrypted:	false
SSDEEP:	12:KfbXxEm8sLBtLt08SHKdvaB8a+jzSCt/lgj5XTc64b6fNSuHwPqD7H:KfbhX8sL90rHKNaB8ayRYdjc64OpVb
MD5:	BD477227A18FED51A2C527EA4E32400B
SHA1:	6FC1F173245E77BDA386CE112D9A19502E5C0A92
SHA-256:	6569A42B81E6B02E8385CDF5EED48A3FBF3CB89101142723FAAEECDC9785D203
SHA-512:	20DC45444E3D2FF3C5C427C60A5B1C7941FFE74E79B9C156E033D53DCBB616AA2A0518AFC2CCFD7FAC4D95581AC2606DF81B7BACA7EA28AD875871949DD8229B
Malicious:	false
Preview:	............ .h.......(....... ..... ......................................................................................................fA..hB..kD..mE..oG..sI..tK..rI..lE..iC......................b?..................................fA.............._<.....d?..fA..hB..jC..e<.............d..d=.....b?..........]<.....c?..d@..fA..hB..b;.............c..b<.....a>..........[;.....a=..b>..d@..e@..`9.............a.._:.....`=..........Z:....._<..`=..b>..c?..Y4.............{\..Y5.....]<..........X9.....\;..]<.._<..a=..nN.............v..pQ.....[:..........V7.....X8..Y8..Y8..[:.............................W7..........S5.....eE..mL..sQ..wU.............................T5..........{[.....f..g..g..g..}Y................wS.....\|\..........j.....i..i..i..j..e........................i..........o.....o..o..o..o..o..k.....................n..............u.........................v......................{..{..{..{..{..{..{..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-RANV1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-SOV88.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	284
Entropy (8bit):	6.999082250525666
Encrypted:	false
SSDEEP:	6:6v/lhPLzGx5AzGCL2yyI+9G1TWruJHixcusmPuAU/iCSS1zbuaVVp:6v/7DyeL2/Gor8HixWmkSEt7
MD5:	08D991D399E657EA3A81DA798D204DD8
SHA1:	8B8161A39DA344A96DCC40F8722D7C2BDAEE05D3
SHA-256:	0DC9ECD2BB9B3A9E95D45B431B050CB3B32D7D1913CAEE21223193F6D6DFA4C2
SHA-512:	C2CDCA46638E013B0196DA608FEC94846E006817852556BAD6702CC7A2798E93C3E6BC3678450C55C9C89590AF2BDE12C3032D449CCE7A3B5FF637987936000B
Malicious:	false
Preview:	.PNG........IHDR................a....IDAT8..R...p...U.....\..rvt.6-".c...am.....!q.j.sPJ.0..;....#..P......7T.....#.1l..G.wc.T}YB%F8.R........Yv.zu?..........].....ag.v..d.v.X..].0..l'....e..f..5.."}.....Za.. ,S\|.......,t...p.d.{...]..u..U.D._....!9...q...W9].......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-TT3P3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	404
Entropy (8bit):	6.917623353697257
Encrypted:	false
SSDEEP:	12:6v/78/LcZn9Kk5YNxqZcvZ46+mxhdPGDjrc:KZUIYNxtvPZV
MD5:	483305114EBE1A4A44773D21D611216C
SHA1:	3C0FBD8BA2AE801A9B03CC238AB641E65E9B67D2
SHA-256:	A150DC4A0B8367A03736C12A4851EB29D780D3EE2B1D0709B417BE0A5FCE1774
SHA-512:	706D04A9BAC5EFA0F85A2070305BF52908D1D4DFF1AE27B4EA09E7BAC291D94B2E980EEEEA9A9C29559E2C728E44C276561F559532E3DFB929AD70C4829FA111
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...........~.....tEXtSoftware.paint.net 4.1.6.N......IDAT8Oc.......Ya..s...f......-;+,....l.. 9...Z....."..@...`.^...G.I..Az......&y....yI..q.,$..h...l..v..............n.H/.6...........vh.?,...4../..O..wQU....8..n..?....wYG.C...^....$.9......h<'(..M.(...N.g......U..i.9!..@z>.^.T...AI........3.5.........00...!s&...T....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-UHPL8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	781
Entropy (8bit):	7.651387048168162
Encrypted:	false
SSDEEP:	24:tfp9eW5Oon3iu7MTGS7ZN6tv1lyvv60hrTcdrU:j9eW5VSOwn4lwi0tGU
MD5:	4121D02B972D718C30E8B41023B894EE
SHA1:	751D347690F151AEAC02DD8C69A1F3D629D1DDD0
SHA-256:	807241CF72D7A2CC7DA63ADE8E22F6D1976E9B5D4B9CEC8479960EF4CE0CAD24
SHA-512:	FCDF69080406D542FA6A460C741BD53B4BC052D26EF930F61381CD05B73DCC1D8F13AE71A786E0C795BBE6889ED044D2CF9427CCC3E29CBF3BB7C97188E31BF0
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..MH.a.....[..'...m&......h...C...!.....T...%.(l........6...!Z7E.v%.e.u.gfwvg..P../<..........$.8.". ..W..#]..D.L...q..2"N.!.."ar.9V+.....>..++......Y{..Hk.5.av-./.C..x._..1....,...n7.... ......U..>-Ru....t=.-o...p...W...9z.......\...>....V...,P-..Icr"F,..s1l3<....PU.......J......h@../..R.Y}2........f..R`.....=.a.s.F..y.8e.......[.?..<.....JK.."..p...Y...!..H....L.A0.D.....sU..NQGS..(.xF....._y..S.p2N..w....p,.......=.T.^G....p.$.=w.b..4.~. ...FY5q...!z..N....7EG.r.Og.(.o..8....\..6."J......huh../sT..2%2$?.Y.".....b.y.x?.....=@..w..m.p..T..#..+@M.{...=j\|..-E.x.>@.....h...2.H.?.O......t..a.6.......k..n.5.L..3...8~^..%......G.....!......)..fCMMMWjjj.2aL...c.y....&G.......VA.:..I..........!......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-0OBGN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.907302157036138
Encrypted:	false
SSDEEP:	48:+BfZk7WDHWwgHz/8EKnha1Za+Wt4UhU6XkfAsq6BfyTLDJa8LaMahaavC:ykCrFEZ1k+Wt4UG54sqU6TJaoaMahaa
MD5:	E6EB914C76409FE1F3D53E3C181CC9D9
SHA1:	36A34D8F71B146A39A68F7C0AB02A566FCA24A85
SHA-256:	060DFC41C4D3CCEFA3FD8E104302B42408DA7F54CA13096ED7836EF57C5B4D6D
SHA-512:	7EA5748DF3C9229E166AC5578A23C56FEFC3E395A53D24305FB39D909F1F5ED5193A5F349824890C31D0AD90F7A6A574184A5E0E52C4BA83D868C71B94BB8B87
Malicious:	false
Preview:	...... .... .........(... ...@..... ................................................................................................................................................................................................................................................................................................................[...................................................................................[...................................-..................................................................................................-......................................................................................................................................................[...........................................................................................................[.............................................................Q..'.....................*..................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-3FHSQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-5AP2V.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0497425098377073
Encrypted:	false
SSDEEP:	48:lLkTTTTTTTTTTTTTTTTTTTuTTTTTTTTTTTTTTTTTTTTTTTTTT/TTTTTTTTTTTTTt:J4Osj4
MD5:	BF35CDB2F5E57DDFC543AF37943A1077
SHA1:	0CF4E53B9B623BEF1E52BDEFCD31D155EAA4C9C2
SHA-256:	82803689C06BF4D08AA1852D2C5CD3CE08258C828F12DF85C56BB6FC21A8E835
SHA-512:	60CC6A06BD361CFD73D696717225CDB3B57278840606558D1B65390B531A590BDF08B2CB147B3159529DBB30D5C953C693E663D7E589B1E03756121EC3040199
Malicious:	false
Preview:	...... .... .........(... ...@..... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$$.........$.......5...<...C...G...K...O...S...S...P...N...K...E...>...7...0...#.......................................Q..........................................................................................................T...............\|...................................................................................................................\|..............................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-5CEQ2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	6.506385614203068
Encrypted:	false
SSDEEP:	96:8++kbjhMq1a9dJsg987jefKQ4N8tttttttttttttttttt6n:v+kbjhMgxjefKVl
MD5:	7B60FEEE9EF0D5277330748C9E1592A3
SHA1:	54DCE445A030CF59EFC15B1AB977EE6358BC02BC
SHA-256:	8891B8CB9AD98FB86BEA6DD1D3D8717C997440CEE2519565A3D9B46133FDB5DC
SHA-512:	915D4CD6C012DB9EC96257D4B1AD40367E1DE0940A22695547EA55DACBD2DB3FCD869556886013618A5F09053C6C8CBE97950E798794B1E681488FE98F52E84F
Malicious:	false
Preview:	...... .... .........(... ...@..... ....................................6-...Y>#.oO,.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.qQ-.oO,.Y>#.-......6...............OzU-..R...R..\|O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..{O..\|O...R...R.zU-....O.......%}W...P..vK..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..uI..vK...P.}W.....%6#.w.~M..uH..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..sG..uH..~M.6#.wsO(..xK..qF..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qE..qF..xK.sO(..b4.tG..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..pD..tG..b4.c5.qD..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..nB..qD..c5.c5.pB..m@..l@..l@..l@..l@..k>..j=..j=..k

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-5E65N.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	6.4394112066038
Encrypted:	false
SSDEEP:	96:JfMeD5/LLxul//e//O//5UtkRU3sovxWlDoq+ESjoHAICy:Jf5D5vxul//e//O//2tk6s00lx+Eqog0
MD5:	539F181408594BE8AB8295972C4235BE
SHA1:	692665445CF08589D98C943956CCFAF537B94C50
SHA-256:	4DE87763921B6DC43B630BDEB41C7CFB81290DCBDA2E1F3E4B29ECE0A364EFF7
SHA-512:	40E4FBF36D482EB2A1F21DA82973A06E209BBCB4FB90091B21BC750A0BF544F4825D54F269D785B18F6CC2708EE5CAE664A8E98197DB84AB210991C9A844E765
Malicious:	false
Preview:	...... .... .........(... ...@..... ..........................n...n...q...v...w...v...w...x...x...w...w...w...v...w...v...w...v...w...w...w...v...w...w...x...w...v...w...w...u...q...n...n...n...w.......{...y...y...x...z...z...y...y...y...w...x...x...z...y...x...y...y...x...x...x...y...x...z...x...z...{.......w...n...s.......t...r...r...s...r...r...s...s...r...r...r...r...r...q...s...q...s...s...s...s...r...t...s...s...r...r...r...r.......s...y.......s...r...t...s...u...u...s...s...t...u...u...u...t...s...s...s...u...u...s...u...t...t...s...t...t...s...t...u.......x...z.......w...v...v...u...u...w...v...v...u...v...u...v...w...v...u...t...u...u...u...v...w...u...u...v...u...v...u...v.......y...{.......v...w...v...v...w...x...v...x...w...x...w...u...v...u...w...u...u...u...v...x...v...w...v...v...x...x...x...w.......z...\|.......x...y...y......................{...y....P...................O..x...x...z...y......................x...z...y.......{...\|.......{...z...z......................z

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-7I8B0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-7MRBP.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	2.907368134642011
Encrypted:	false
SSDEEP:	48:WRkPCxmKeaeee6Sz1WDl2bbkVmB4g7mGpzSl:0xmKfSz18C+wQl
MD5:	5738301E256B421DA693EFD4DC523727
SHA1:	18C0624ED82BA03C8A1FBDB720F47DAEE5A694E3
SHA-256:	67CD0A812DBCB3FAC6D87A01EF134D66937DA8166602854CB6FC01DA7A94388D
SHA-512:	75E6B019DBBA805982A4168D17FEB46DFF8C832DA1BA0A6B3C131725FB0D0ECD598532576620A086867EE679486819FB0332F25597E9FC1B42454E846B3EC84D
Malicious:	false
Preview:	...... .... .........(... ...@..... ............................................................................................................................................................................................G.......................................................................5...............................................................U...........................................(...........................................................................................u...........................0...........................................................................]...............................}...........5...................................................................................:...........................................................................................................................................................................................................~..................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-A6RLR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.713510909371912
Encrypted:	false
SSDEEP:	48:+bQZkzhN60+qAWGgEoP30eRH4VAIEftmtCCPV7VrllypoC:z6N6/WGChsKUtHVH4poC
MD5:	9D7DB8AFD191BC67C9E410619010B1CB
SHA1:	19B0D0D72B3656FEE507E633739CF71B3FD642E9
SHA-256:	1A27BB476C1E83AFF622369138CA27B866B6D7865A35E021A0985FA3CCB023A3
SHA-512:	98D3105521E6E5625FF8E822A327455624395347C5CB5736720164078842E84411531BE03C3C59166DA8F5EB3A682EA5D0BCF6F74C97E9DE61EE4505BF19FDD2
Malicious:	false
Preview:	...... .... .........(... ...@..... ......................................................................................................................................................................................................................................................................................................D...C...B..A...@...@...?...>...=...=...<...;...:...:...9...8...8...8...8...8...8...8...8...8..8...8.......................E...D..F...P...R"..V'..U&..T&..S%..S$..R$..Q#..P#..O"..N"..M!..M!..L ..K...J...I...H...F...C...@...9...8..8...................E...G...X'..X(..X(..W'..V'..U&..T%..S%..R$..R$..Q#..P#..O"..N"..M!..L ..L ..K...J...I...H...G...F...E...9...8...................F..S!..Z)..Y)..X(..W(..W'..V&..U&..T%..S%..R$..Q$..Q#..P#..O"..N!..M!..L ..K ..K...J...I...H...G...F...@...8...................G...V%..[..Z)..Y)..X(..W'..V'..V&..U&..T%..S%..R$..Q$..g...X..X..X..X..X..X..X..g...I...H...G...C...8...................H...\+..[..[*..Z)..Y)..X(..W(..W

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-A7NTE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-AISIK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.288019933532579
Encrypted:	false
SSDEEP:	96:OjwqZN3wbSWxcd+/da0jaP77C9AVM24KveTySDQF:OjwqZNAbSWxcIOvCWe2SY
MD5:	D3C536BA60769EC6301D00AA3EF5E2EE
SHA1:	5896533F46A247CE288CDC2268ED7C90F5AFC433
SHA-256:	828C41C37260041061C57765B8316A30768306AAA829815F25AB7FE5FB9955C2
SHA-512:	9BA9C36F464D2C260215A765DAF67E789B09EBEC484000037EE394277419692B85497ED4643B6770A5FCB641363FE05DBF15F33C6DF56C46837DEE5DAB8BA7AF
Malicious:	false
Preview:	...... .... .........(... ...@..... ................................................................................................................................................................................................................................................................................................................[.......................k.k........................................................[...................................-............................................6.6.,.,...&.&."."....................................-................................................g...A...1...,...>...o.......q.q.'.'.).).%.%.!.!........................................................[................U...<...:...3...+...$......................&.&.).).%.%. . ................................[................................]...O...H...A...9...2...*...#...........'.......~.~.+.+.(.(.$.$. . .............................................................N...V...O...G...@.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-B9I7D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-BKV64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-HIOOS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	6.0320556453234735
Encrypted:	false
SSDEEP:	48:9C4c77Xlnvx3vIrhdu95k8e00PK5Qw9hN51sEUqK4hlEVnNApv1k8Z5RWVG4444M:44I7X9Zft0P0r+oh/wVnQv3RWVtrQbe
MD5:	AC6FE311F112F577F6A7108D053180ED
SHA1:	AEA6C67AE58A4B0452BBC37170A2F8C948ADE5C1
SHA-256:	5AC764E501C1968A766B7DDCAF3407F25E212EB3E1147D1DF3B34336A511E63F
SHA-512:	A7EFD0FEED7C54DC5756265936AB2E091F2465AE73F4C7A5254AECDA3B02291343822F22FA61399F91B35762655B26D8FB479492561CAEA5F39F33FBE0178281
Malicious:	false
Preview:	...... .... .........(... ...@..... .............................eee.```.nnn.jjj+lll;mmmClllEjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGjjjGlllEmmmCkkk;kkk-jjj.ooo.```.....nnn.rrr.kkk%kkkGkkkcmmmukkk.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.lll.mmm.lllwmmmckkkGnnn'kkk.mmm.lll.lll#mmmMmmmw.i\..gP.gL.iN.iN.jO.kO.lO.mP.mQ.nR.pR.qS.rS.qR.pR.nR.mQ.mP.kO.kO.jO.iQ.j\.lllwkkkMhhh%qqq.jjj.lll;rkhw.dI...................................................................gJ.tjf{lll=mmm.jjj!lllQ.cH.a>.....d..nK..jE..jF..lF..mG..nH..oI..qJ..rJ..sK..sK..vN..wN..vN..uM..sL..pJ..nH..nG..pL..d.....e@..eH.mmmQmmm!iii).fY.._=.....vV..c?..e@..fA..gA..hB..jC..kD..lD..mE..nF..oF..k@.....................}..d;..iC..hB..gA..wV.....c?..gV.mmm)mmm-.aI......e..b>..c?..d@..e@..gA..hB..iC..jC..kD..lE..mE..mE..h?.........................b9..iC..hB..fA..e@..d.....dI.lll+kkk-._D.....mM..a>..b>..d?..e@..fA..gA..h

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-HNU2O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.977825738278547
Encrypted:	false
SSDEEP:	96:hszWWWWWWWWWWWWWWWWWWWWWWWWWWWWxDrsAC/nqfyS:hszWWWWWWWWWWWWWWWWWWWWWWWWWWWWF
MD5:	013FF196FE6FA64188221F539A0C75FA
SHA1:	167852F22EEC0C7CD621ECB343DF0F05A855343E
SHA-256:	27B388961D008A5B3085B27942F398021EC73D57549EA62EFF9D1D9542A8C4AD
SHA-512:	046BE975703A10D75ED67D7C71EC87E63F2FD1CE8915521BD30629B6A4A06E3D10EA646B4ADE10F2D8ECC9297FB5165741E1AD4BDB961669CE66E19B80EBCE61
Malicious:	false
Preview:	...... .... .........(... ...@..... .................................\|...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...}...............y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y...y.......\|...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...}...v...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...v...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...r...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...s...o...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...p...m...n...n...n...n...n...n...n...n...p.....

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-J14PH.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-L04ND.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	476
Entropy (8bit):	7.439177858532215
Encrypted:	false
SSDEEP:	12:6v/7iFaKslEOmLWhwS6ANwTrK7GqrOGZdM0Rtc:7aLlCWhP2fqrOLMtc
MD5:	6591C6A99B1C83E8E82DFBC47DB14D09
SHA1:	391F976F86FDA9E1DDA177B835E38BDEB4916F63
SHA-256:	B6EECDBD6BE6362A75FD90B6E8B322EF64CAFCF9AB207411DAAA255C88E50572
SHA-512:	D10B15A84A63C6C6BAAE451363C60DEC05C39BF7559CB26A205B800EAC5E40271DB17C3A49AA2BBC2FF25FF7FC2FB32AB7D0521BE071B18FFF91CF18DFC80C08
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....IDATX...+Cq....Y...$b\xO..R".z#g....BK.9..6.6.a.Vl...(/M..b.ll4g...su....{^.2..y.4I@.......k....Q...u..$..l.n....\|....\|)h...N..F...WUY..\.p0u0j.@.....0..n;,s%.I.,U.'..o...O.1.MM0...&...J\X./....S...x.......f...d....'_.O.r..A..m.[(..a'.#.?....Z.80.."...D.>.5.3.>...b.P\|.T...'...i/l..B....A.:...<G!p...X. ......(.......*...T!..;.=.(......V..V...N...........B..n..W....h.0.po6.9.e.=+..$..@t..R\|.).>>....~........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-NKJK1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-O257K.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-OVTAV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-PEN7G.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-PTR36.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.673387955380768
Encrypted:	false
SSDEEP:	96:Q0YV+XQJt9CeeTQLvNDg9m8nlVlurzJW37a5Mm9bYHEh:9YxCeQQ5DgM8nlVgr9W3emm9bYHEh
MD5:	ECDF723831AEFF58D496FC70C8283BF6
SHA1:	F4FAC6B07305CFB612625391FC50333071665167
SHA-256:	97D0CF1DB2088A9D3EDDE44EF4BBE8731C82FE8539C89BB45A72E9F131BDCE19
SHA-512:	B7FCDCF49BE8507950EFE02890BE516A99BACE7DAB1D6571DF4037C95011491944AE107EE5E507BFDAF342048264AA623E44AAE66824088333DC343051734866
Malicious:	false
Preview:	...... .... .........(... ...@..... ..............................6...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...5...6.......:...L...U...N...M...N...Q...T...X...]...b...f...j..!n.."q..#s..$s..#s.."q..!n...j...f...a...]...X...T...Q...N...N...U...L...:...:...X...F...@...?...?...B...E...I...N...S...W...[...^...b...c...c...c...a...^...[...V...R...M...I...E...B...?...@...F...X...:...;...U...D...A...@...@...A...C...F...J...M...P...S...V...X...Y...Z...Y...X...V...S...P...L...I...F...C...A...@...A...D...U...;...<...V...F...C...B...A...@...A...C...E...H...J...L...N...O...P...P...O...O...M...K...I...G...E...C...A...A...B...C...F...V...<...=...W...G...F...C...B...A...@...A...B...C...A...B...D...G...H...H...G...E...B...B...C...C...B...A...A...B...C...F...G...W...=...=...Y...I...G...F...D...C...B...A...B...>...5...1\|..5...>...C...C...?...6...1\|..5...?...B...A...B...C...D...F...G...I...Y...=...>...[...K...I...I...G...G...D...C...C...D

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-U5ENT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.532691390134044
Encrypted:	false
SSDEEP:	96:nY99Q99TqqeqQEqqeqQ4q0AqPwqKzj05pjskYoE6cCLa5v8XrimfI:vqqeqQEqqeqQ4q0AqPwqKzj05pjxzBaL
MD5:	EA7CF6E021F69BF2044DC239F9875D65
SHA1:	69699CA689463AC506D522CB95EA2507EE9D59F9
SHA-256:	524AE1533708F5B47C73B4513662DAE775303FC2EF5D39B238D139C18864D24B
SHA-512:	019AE06EA6F6CA327465EEBCBF54055CE833B5D5C1BB79AF89EE26351B088BB11E8E1E9544563FC663939D6D25DD2314BE208BDC0AFD6699741103E4C57CA090
Malicious:	false
Preview:	...... .... .........(... ...@..... ..............................................................................................................................................................................................................................................................................................5y{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c..{c...5y............../..4..:..A..J...S...\...f...p...w..............................y...o...c..Y..P..G..@..;..3..............3..<...B...C...C...E...J...J...J...J...J...E...C...C...C...C...D...I...J...J...J...J...I...C...C...C...C...B...?..0..........;...G...I...I...I...I...K...Q...Q...Q...Q...Q...L...I...I...I...I...J...P...Q...Q...Q...Q...P...J...I...I...H...A..5...........<...J...O...I...I...I...I...K...Q...Q...Q...Q...Q...L...I...I...I...I...J...P...Q...Q...Q...Q...P...J...I...I...B..3...........<...J...Q...O...I...I...I...I...K...

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-UFDE4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.433906899003064
Encrypted:	false
SSDEEP:	48:FYv/RQcs//cF///cPG/////cP5Q//////cPQ////////ce///////cE4/////c3Q:uv/RdBmTBVlbaMeExLKwePaSO
MD5:	5B44B02CBAC63F77EDFDB9C6B685AD91
SHA1:	D8592C8C56F4E6DE68835268459472F24362A9CD
SHA-256:	9CD7273F90F5F7C4BD2003695920A551B204A2F73690D6B0918323E2649DD15A
SHA-512:	F0D33196CE43A5D599D271E1176A5A76FD09B271A3B44810CD9DE9310FE4EF57EA1D71918F6B596C1AB42755C890B61D5EF49EBDDE72D5AC879C137B497E83E6
Malicious:	false
Preview:	...... .... .........(... ...@..... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................L]..LY.MY..........................................................................9../9..-8.2....O_..MY..MZ..MZ................................................................................................./9../9..-7..-8.2NY.XMZ..MZ..MZ...........................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\32x32\is-V5UM1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.0368545253190575
Encrypted:	false
SSDEEP:	24:suW8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFd:CnnnnnnnckhOktpqNbfYI0HnnU
MD5:	FDA8396F15F15D61AC82C01DEBD0C356
SHA1:	CB0B8623FB7B62BACA444C76BE9F69BD4D2963A1
SHA-256:	E9180F49762D2798D2D3AF867BFA78F7CDEAA87BE9190C4D40BBA799F6E49FCC
SHA-512:	DEEB917EB7240A2D157F11F2167A1B3FE6CE91C63B125F18671C03D8117AAC736B431BBCF6015A73DBEDD94A8F5D10D1988D7FC96FCA0B3F05324EE800581D15
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...H...................................................................................................................H...H...H...H.....................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\Odnoklassniki\is-12MM1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	296
Entropy (8bit):	6.500966192845998
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teBQFMnlqsTJee5uicbPfZSyxX0GUd/eup:6v/78/nIQFMnkyf54rfsrpz
MD5:	1374A978134A935973CAF3CD4BFD5DD6
SHA1:	3A24FBE3ACDA81875702DE3DC013EA3C3B717AB5
SHA-256:	DF28F5437300E6BF466FED1E74E785D4BD205ADDB1AACCBB37F51E7FD79B9C13
SHA-512:	076C7993D4547042FF31C8560FC3C0A699C940CAC85668D9622E6B5F26F26C90DB5E395A1AEC0EEACDF842996A5D734FBCC310638C0D3E4C97E328419ED4000B
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`.&...<...I.....4N.6.?).d...7...2..{..YC...a5.b...h....A..GX1H...(6...d...p....$.^.........w.<.....@..]XJ....K...(.....X^d.2......R..G... .k..^.j....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\Odnoklassniki\is-9JC3T.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	341
Entropy (8bit):	6.666726809754627
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teHAFYqNQHvot6aM1nqJyVlMt+OxMp:6v/78/noAF2vonMDHs+Ox+
MD5:	7D35A55137029755B25CA2B25F54D7AE
SHA1:	22C1FA56B55C250889EB7B2AECE02803F34E4D43
SHA-256:	07256C3BA7DF49D4258054B35AFD01555CC25BD32D19DA852F1077C5B298A8CD
SHA-512:	2FFE767C9FCE4BC994460E7071579B6DF94A650FF9E3F9CC0538D599CD40178304302583C826F9CF39BAD2F160433E264BD2265DB17D016FA60158EF34461D0A
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`..L.........@...K.....?..O....Y.e...m./...7.....A. .Y-V.@.a......I6...p. C@\|.!X].jZ... ........n....A\|......l...)\|py5..77...X.....p.a....^@.@........x.@Jz...$..^......7.23.....y..?..k.......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\Odnoklassniki\is-GI6QT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	337
Entropy (8bit):	6.603752167197913
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3te+/CG3J1R7/1JrZywu9ym9mmAivY6Ppmj/jp:6v/78/nfCG3JHVywuUm9mmAiQ6Bmh
MD5:	58280774747B0A7F0CA8B29DACA0B917
SHA1:	0BEEDF45E1CC739DAD3886AD1532A05BDFD2A3E8
SHA-256:	A7FA8ED622AECB52E7FDB363B32CC44C3A6FF5837FF78917DD177DBBE15B7DD6
SHA-512:	21FCDC686E3B700753E975C7A78884E7C0EBAF0ADABF13152B199B97F7F1F6F8FBAF1295ABDA7E2FA5D81683894EB280C1AA92E6695AEA56A289E9F17AE4095E
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc.....?k1Y......g...s.!.......h...,.........3x..k`>.F....`.P.S....7..O`.A4.}'.]....`..`.@4Lq..`.@4^.`....X.!..r@b."r."..l.r.P/.T..$9!..].//XG...4.\|.........4..'h.H...........CK.Tl.u....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\Odnoklassniki\is-IBU8G.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	479
Entropy (8bit):	7.089593114616156
Encrypted:	false
SSDEEP:	12:6v/78/nYc+5kz1ODz/QkR2gWWQQNjWPsiVY:SezqjQW2gfNjIsf
MD5:	011D15EB16A43A3A209EF0AA0AA18EEE
SHA1:	AA2B6FA0994415F1F8375FDA46EE3F3336777D9F
SHA-256:	12DC59580F6AD444E19F24260219FA0B9FDDC1B5873C1F9361C2063A8DC1A4E5
SHA-512:	81D9B1576636754E746523C032D822BB458D2F0FFC3632A132D3C64F32637888C5ADED498060D6020D17CC989DE96D639F8FDAA569F338ACCD810622D0C3C58B
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....NIDAT8Oc`.......w...Q.+.....?>..r)5k...._....EG.G.-'.-...O.Z...p.....U..3.+m...+O..0w.....s.3.=y...Oa...O.......Z..5$.`...K.....z.........^...Y.6`.zH@.......#....ir...=.....E#(-....Z6.o...l....I2 .l....G..LZ\|.....8{.....;f.@.D.a C..{...../l..?.`..fX.....4...........[g.C..9)...)......w........;CP3.. . }p.....'.......{.........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\Odnoklassniki\is-RGC2R.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	468
Entropy (8bit):	7.111349425204145
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3tezZiBETckBgamBUuzzCg5z7yDALRIjfq1iMrjWTa/IUlqauE:6v/78/nawkdmBUKf5zaIybM/WqTsY
MD5:	37DA94ECD734F687EF2BD6B876BA3918
SHA1:	20F07BFA0FCF04B900F5E78B503B9E7597BB652D
SHA-256:	310373B5A0CA520244BBC8C21837F356781DE404EBEEAD88A44AC149B4B3EFE1
SHA-512:	AF4D0182BE380DDD3972D905AE8800AA5720DD42FE62504090BBC5BF929771844C7F8DE7594851A562ED982FE3DD4EDA7B07D7177DD037C74A5D0EA510E7A863
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....CIDAT8Oc`...=./..'........x1H.^.~......p........2...b>..@..4o.u......?.j......Wt...2....\.......'./.\|....`z...O..G. .0.............+{v.]Q....$...._.....x.y...@,...?~c...S....-^..... .~.....~.....?~.....s.C...o.....i..'....4..y...b.Y.s...Uo._....u.Pb..r.8..@..6d.....(.{..A... v..(iB.h..... ..................5BJ.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\Odnoklassniki\is-TM4S5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	468
Entropy (8bit):	7.111349425204145
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3tezZiBETckBgamBUuzzCg5z7yDALRIjfq1iMrjWTa/IUlqauE:6v/78/nawkdmBUKf5zaIybM/WqTsY
MD5:	37DA94ECD734F687EF2BD6B876BA3918
SHA1:	20F07BFA0FCF04B900F5E78B503B9E7597BB652D
SHA-256:	310373B5A0CA520244BBC8C21837F356781DE404EBEEAD88A44AC149B4B3EFE1
SHA-512:	AF4D0182BE380DDD3972D905AE8800AA5720DD42FE62504090BBC5BF929771844C7F8DE7594851A562ED982FE3DD4EDA7B07D7177DD037C74A5D0EA510E7A863
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....CIDAT8Oc`...=./..'........x1H.^.~......p........2...b>..@..4o.u......?.j......Wt...2....\.......'./.\|....`z...O..G. .0.............+{v.]Q....$...._.....x.y...@,...?~c...S....-^..... .~.....~.....?~.....s.C...o.....i..'....4..y...b.Y.s...Uo._....u.Pb..r.8..@..6d.....(.{..A... v..(iB.h..... ..................5BJ.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\VKontakte\is-BOV95.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 17, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	362
Entropy (8bit):	6.744489136613283
Encrypted:	false
SSDEEP:	6:6v/lhPOtBUswMR/C+wZA3teVVIqGKvSdmD4lK6mj9I4OPDWwnqtzzfQ27r8aCwt2:6v/7K2sb/nK5GUonx4NMqtzzIorTtxdu
MD5:	0BAB4FC0FAACC30AC714DB34333BAA54
SHA1:	C5AA05973E3267D60F2C927AB67B16FCE8929118
SHA-256:	4E79FBF438C1F6B197D15B08619BCCF862E7076D11C75D0B9CE3007711D94347
SHA-512:	06B09980DB26DA14FB0E80EC2831A9B377112E97EAEAFF967221170A5E3D7FE70B940CCE934629CE0451D41457F1705D76B1E64181D8A9D062FA0C4BD77E34AE
Malicious:	false
Preview:	.PNG........IHDR..............,.....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`.6..Z......7c...x....>\|.Aj@j.......`....;...F6.l.....@...A....R.3....g..f.......@.+p........R.....i.:r...Hid3(.Q.....6.G...*.#...>!`...j.r... K@.a...?r4"kD.Z..h......x..B.^......D.....`.@5..n....5.r.>y.E.".........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\VKontakte\is-F83RL.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	468
Entropy (8bit):	7.111349425204145
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3tezZiBETckBgamBUuzzCg5z7yDALRIjfq1iMrjWTa/IUlqauE:6v/78/nawkdmBUKf5zaIybM/WqTsY
MD5:	37DA94ECD734F687EF2BD6B876BA3918
SHA1:	20F07BFA0FCF04B900F5E78B503B9E7597BB652D
SHA-256:	310373B5A0CA520244BBC8C21837F356781DE404EBEEAD88A44AC149B4B3EFE1
SHA-512:	AF4D0182BE380DDD3972D905AE8800AA5720DD42FE62504090BBC5BF929771844C7F8DE7594851A562ED982FE3DD4EDA7B07D7177DD037C74A5D0EA510E7A863
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....CIDAT8Oc`...=./..'........x1H.^.~......p........2...b>..@..4o.u......?.j......Wt...2....\.......'./.\|....`z...O..G. .0.............+{v.]Q....$...._.....x.y...@,...?~c...S....-^..... .~.....~.....?~.....s.C...o.....i..'....4..y...b.Y.s...Uo._....u.Pb..r.8..@..6d.....(.{..A... v..(iB.h..... ..................5BJ.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\VKontakte\is-L32C8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	288
Entropy (8bit):	6.530333940085824
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teNpjvb61Qo2SAo+yeZG7q5Vp:6v/78/n+jDqQmEyeZ8g
MD5:	EE2EC82FDFACF590ED0211B44987C617
SHA1:	71F0AFC24952BB5C2F334C56F801470176BCCEC2
SHA-256:	F8199692B7CE8D0C77D9DED524F679D64FF7723421345425B431EE933868AAC0
SHA-512:	220A8C913FED060F38FCA7835D508D8D88531EF940532E8173257741433ED7FB21223CD2EE1EDDB5E770BD44AA632F8B043481CED038167901D65C74A6CC6192
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`...:.?...?....8H...`C.*\.a....V.1H.........>...ge..\|...w..'...A.... 5-..`..U.}R.I. }.......y..).5..7.s.....u...?.p...t>..$.R.l ..[aR.O......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\VKontakte\is-VVU8N.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 17, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	362
Entropy (8bit):	6.744489136613283
Encrypted:	false
SSDEEP:	6:6v/lhPOtBUswMR/C+wZA3teVVIqGKvSdmD4lK6mj9I4OPDWwnqtzzfQ27r8aCwt2:6v/7K2sb/nK5GUonx4NMqtzzIorTtxdu
MD5:	0BAB4FC0FAACC30AC714DB34333BAA54
SHA1:	C5AA05973E3267D60F2C927AB67B16FCE8929118
SHA-256:	4E79FBF438C1F6B197D15B08619BCCF862E7076D11C75D0B9CE3007711D94347
SHA-512:	06B09980DB26DA14FB0E80EC2831A9B377112E97EAEAFF967221170A5E3D7FE70B940CCE934629CE0451D41457F1705D76B1E64181D8A9D062FA0C4BD77E34AE
Malicious:	false
Preview:	.PNG........IHDR..............,.....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`.6..Z......7c...x....>\|.Aj@j.......`....;...F6.l.....@...A....R.3....g..f.......@.+p........R.....i.:r...Hid3(.Q.....6.G...*.#...>!`...j.r... K@.a...?r4"kD.Z..h......x..B.^......D.....`.@5..n....5.r.>y.E.".........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-1ENK3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	410
Entropy (8bit):	6.98484459691547
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teDEQYCdbzRpDoi7/hZTnWjiGTwiHiyiTVd7UiBwUCmi7yp:6v/78/nKEQYyb9pEm/DWjMJLiZ974
MD5:	0FB46F0A45701EA2D22DCAB7E82C8B5D
SHA1:	71FE89922F1F4DE4C1F7101607A18402F436069A
SHA-256:	C28F498E0C59B1E3741850574D9E7F9282D4BA6F90BFE175B3F24B69561A52EC
SHA-512:	B1E780BDED7AD696E28DC20FA8FEDC11C7A423D134083A6F24DA9D6044D67D1997FED26425939523B02B044FDBEA28D2C05BA039C5024B43DD87C4CECF88CD9C
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8O..K..0..=....^....\.J.**.. ...Ek...T..Vt..$&}D...tf..3mRF.E.BQ+......r.....N?......O..A6.t...r.@G..r.P..r..P.1V... ;@.E..E..XS.Q@.@... ,...W......Y.#..{.p..3@........ ..`!@@w.#...."...\|6.D.....=..(....\|...<.@.Z.......b]....7;Z....~..K...7AN...'...L..P.......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-7D6HE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	288
Entropy (8bit):	6.530333940085824
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teNpjvb61Qo2SAo+yeZG7q5Vp:6v/78/n+jDqQmEyeZ8g
MD5:	EE2EC82FDFACF590ED0211B44987C617
SHA1:	71F0AFC24952BB5C2F334C56F801470176BCCEC2
SHA-256:	F8199692B7CE8D0C77D9DED524F679D64FF7723421345425B431EE933868AAC0
SHA-512:	220A8C913FED060F38FCA7835D508D8D88531EF940532E8173257741433ED7FB21223CD2EE1EDDB5E770BD44AA632F8B043481CED038167901D65C74A6CC6192
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`...:.?...?....8H...`C.*\.a....V.1H.........>...ge..\|...w..'...A.... 5-..`..U.}R.I. }.......y..).5..7.s.....u...?.p...t>..$.R.l ..[aR.O......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-7V9TI.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	341
Entropy (8bit):	6.666726809754627
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teHAFYqNQHvot6aM1nqJyVlMt+OxMp:6v/78/noAF2vonMDHs+Ox+
MD5:	7D35A55137029755B25CA2B25F54D7AE
SHA1:	22C1FA56B55C250889EB7B2AECE02803F34E4D43
SHA-256:	07256C3BA7DF49D4258054B35AFD01555CC25BD32D19DA852F1077C5B298A8CD
SHA-512:	2FFE767C9FCE4BC994460E7071579B6DF94A650FF9E3F9CC0538D599CD40178304302583C826F9CF39BAD2F160433E264BD2265DB17D016FA60158EF34461D0A
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`..L.........@...K.....?..O....Y.e...m./...7.....A. .Y-V.@.a......I6...p. C@\|.!X].jZ... ........n....A\|......l...)\|py5..77...X.....p.a....^@.@........x.@Jz...$..^......7.23.....y..?..k.......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-8P7BC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	479
Entropy (8bit):	7.089593114616156
Encrypted:	false
SSDEEP:	12:6v/78/nYc+5kz1ODz/QkR2gWWQQNjWPsiVY:SezqjQW2gfNjIsf
MD5:	011D15EB16A43A3A209EF0AA0AA18EEE
SHA1:	AA2B6FA0994415F1F8375FDA46EE3F3336777D9F
SHA-256:	12DC59580F6AD444E19F24260219FA0B9FDDC1B5873C1F9361C2063A8DC1A4E5
SHA-512:	81D9B1576636754E746523C032D822BB458D2F0FFC3632A132D3C64F32637888C5ADED498060D6020D17CC989DE96D639F8FDAA569F338ACCD810622D0C3C58B
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....NIDAT8Oc`.......w...Q.+.....?>..r)5k...._....EG.G.-'.-...O.Z...p.....U..3.+m...+O..0w.....s.3.=y...Oa...O.......Z..5$.`...K.....z.........^...Y.6`.zH@.......#....ir...=.....E#(-....Z6.o...l....I2 .l....G..LZ\|.....8{.....;f.@.D.a C..{...../l..?.`..fX.....4...........[g.C..9)...)......w........;CP3.. . }p.....'.......{.........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-A52QD.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	468
Entropy (8bit):	7.111349425204145
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3tezZiBETckBgamBUuzzCg5z7yDALRIjfq1iMrjWTa/IUlqauE:6v/78/nawkdmBUKf5zaIybM/WqTsY
MD5:	37DA94ECD734F687EF2BD6B876BA3918
SHA1:	20F07BFA0FCF04B900F5E78B503B9E7597BB652D
SHA-256:	310373B5A0CA520244BBC8C21837F356781DE404EBEEAD88A44AC149B4B3EFE1
SHA-512:	AF4D0182BE380DDD3972D905AE8800AA5720DD42FE62504090BBC5BF929771844C7F8DE7594851A562ED982FE3DD4EDA7B07D7177DD037C74A5D0EA510E7A863
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....CIDAT8Oc`...=./..'........x1H.^.~......p........2...b>..@..4o.u......?.j......Wt...2....\.......'./.\|....`z...O..G. .0.............+{v.]Q....$...._.....x.y...@,...?~c...S....-^..... .~.....~.....?~.....s.C...o.....i..'....4..y...b.Y.s...Uo._....u.Pb..r.8..@..6d.....(.{..A... v..(iB.h..... ..................5BJ.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-DTV1D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	468
Entropy (8bit):	7.111349425204145
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3tezZiBETckBgamBUuzzCg5z7yDALRIjfq1iMrjWTa/IUlqauE:6v/78/nawkdmBUKf5zaIybM/WqTsY
MD5:	37DA94ECD734F687EF2BD6B876BA3918
SHA1:	20F07BFA0FCF04B900F5E78B503B9E7597BB652D
SHA-256:	310373B5A0CA520244BBC8C21837F356781DE404EBEEAD88A44AC149B4B3EFE1
SHA-512:	AF4D0182BE380DDD3972D905AE8800AA5720DD42FE62504090BBC5BF929771844C7F8DE7594851A562ED982FE3DD4EDA7B07D7177DD037C74A5D0EA510E7A863
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....CIDAT8Oc`...=./..'........x1H.^.~......p........2...b>..@..4o.u......?.j......Wt...2....\.......'./.\|....`z...O..G. .0.............+{v.]Q....$...._.....x.y...@,...?~c...S....-^..... .~.....~.....?~.....s.C...o.....i..'....4..y...b.Y.s...Uo._....u.Pb..r.8..@..6d.....(.{..A... v..(iB.h..... ..................5BJ.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-EAMSK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	409
Entropy (8bit):	7.015430309226083
Encrypted:	false
SSDEEP:	12:6v/78/ntuuZyeN46QM3TNzORtgDjrSNNXH:j1yA47QRORtgXuL
MD5:	45409D06153FF84BDB5AB3E30C7CAB12
SHA1:	AB84313D7A29E9D9C6308E3B99CB247AAADE34C4
SHA-256:	52611BFC775199483CF8216F2FAEC18FD56B9D895A1173338B36BE5F14F5FC06
SHA-512:	7C21E74A7787B1F26F0A5A4ADC4B4D469C069F6A066E4AE45D72F5515696313BAEC74C9435E04B812521339918E08E2136EBAA81E4351053AF9D372BB372F377
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8O.S...0....fH&........3S.......f0s.}......Z...5...-,aM^zw.{}m..2..x...2.YC....$..u..........9I..-...(.R wf.G..0....>+...lr..f../R*q.q.3.......4M.`..q.c.....$6M..1&.K.F{.6....U=I..?...M.h1dFQd.`.#...zew..\.EAA......v...$...\.$.S.....K.W.b.d...w.....R.F......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-KP2FC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	307
Entropy (8bit):	6.610384624893472
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3tepODZkidAJRzwBtNpQ+YiMpOhbi9eo77Vp:6v/78/nffTBvpQRiombi9j7
MD5:	06CE05DA1418C5F5B952911492F1D313
SHA1:	17A0D4EBD1E5A5BD338ECCAEF1CA9944EEC7C156
SHA-256:	380154EAE1DE86B8AA27433A0044FBB471A0C067E14DD8DD740F6419A06F0EFB
SHA-512:	3735BF636D31B885B429EA1C70CCC3850666A801C53B40F5570EF584D6180486E22A06DB31757987DDC5EDBB209CBF2790A8DB2566C8962107519CEC75F7A871
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`.p.i.....da.^.....>..Az..x{{...g..^ ..7...a....@.c.............>0...5.W.X...;......765.....b]........... .06..`~.?........0Y..{......_......,..Kqf....l9pA}....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-LH1EA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	386
Entropy (8bit):	7.00776812280233
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3tedVeog/dmQEyGZ34lO47R4pyOcVuAUrm7OGBQ6bp:6v/78/nyA5dmQHuU7SpyOcVtz/Bt1
MD5:	9321CA9A72F08DDF4987816DDCA3D413
SHA1:	DF2EE42EB884D660440C3EBE6D8227EA443DE23A
SHA-256:	46BD2F7186989CAA26BF20092F0BDBA9EC94357A69940F6C8EA16E8E5C0FAEA7
SHA-512:	F37F4348594CB29622B0CEFBD8515772DE49DE8040F906209D6EA44844BDBDDE1C88DF1167B13AFF3D3BF59A41831E7895EF1B4F5C03774B1060BD8FF5D76EAA
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8O./..P........a.h...a..n0..e.."XV.k........9........x....s.o.M.Z..}1MSt]W .+.....M.....E.$I.@.G.0...LA...X.%.a(..Q+6...Tr.*.h..@...9.54j.&.....JcnL.G...x.T..........Z...h.6....<..V..j..<y.f.@S2...d...O..^.T....T...{2..u.....=.q..x.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-M00KR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	259
Entropy (8bit):	6.365804366050187
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teZ439CTUXhR7P/jlOS+sknw69p:6v/78/n1NuUXP7PIS+sknTT
MD5:	845E4E3FF8D9BA304B19010CCBD47312
SHA1:	04EB66B1136F8CE4B6564B32E4BB48A48CDF245A
SHA-256:	52F38FE15504A9E7372B94C8881D1304C718673192CD64F0B90696F2BDC797A1
SHA-512:	84BE706BEF872CC3705ECEC96C227285FC1AC3FB6DAAAD1175C6F70DB5D4603BA5859869BD1DB4AB539193971252AE0CACC7C4D769DF589C221280E15DCDB564
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....rIDAT8Oc...?.%..9.r.....$a...^...j..'....._......H6.Y3Y...L...6..i4........0>.. )D..Ah.k...-[pbX."...D...83Q.........@X....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-MNI3G.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 15 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	304
Entropy (8bit):	6.615232112735145
Encrypted:	false
SSDEEP:	6:6v/lhP8LMR/C+wZA3te4YeOiG/WrSUAHmrOk3I9/t6CEyO9hbp:6v/7V/nw5WGUAHmrJ3Wl3Ol
MD5:	7710D6BF6295D39378CE75797D7509B5
SHA1:	090E061712842B2611BDDF21DE8FDC016DE827AB
SHA-256:	3A098E07391825DB6349455DAF4215AE19C52A55B6838F7539FC1D439F5988A0
SHA-512:	725B1F1292B10C80FAF1B3F9799A8833866829687A798037FEA2477F8E567E077FD2868B1B177D74B7C8C86F501C8E9706733D600774BECB53141BD136C98F5B
Malicious:	false
Preview:	.PNG........IHDR..............V%.....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc.``........@..:;..A........w...'..5W...'....h.a...Pw0..lb 9..0..q.."..Z.~.9..C.....31....Dk.16..g....b.>.`#..;W.....A.1H=H.C....Pc...b.>. ..b)2........+4F....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-Q4D07.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	417
Entropy (8bit):	6.94896891695791
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3te4bUHmsrNAhcSAZF8qYe+QRePg5gJjsDzEm2I81SwJL2l/sc:6v/78/nXUfyFM8q5Ig5gIzjMZSN
MD5:	4C24F1DEA3731AF8E87753BF5809B7AA
SHA1:	E66175AEF9B3B505215D5B8E2502C78A6662493A
SHA-256:	501002F4107D366ABFD5659C858B56EF0A46C053236A83C2BF44AEAA4D41F510
SHA-512:	7AE28379921677BAAD7C011A4FD5D8BC61740A4F4F51D4C726B7765AD0FA4FAE098F3B3EC6E05043DB050F2E0028265DE7A2FE7943A6462790B590FF8787C917
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8OcH....V. ..c..@._\|xD....4.....a.......:r.A\..?..dt.A....'.A.P.x...H".e...}...O....H.n..G..#cl. k...b.....#cl. ..s...W..............l..n.......A.$.w...g..0<E....}...Y.,.7...s..S..?y...A.%].Q0..dq.. ...'U.DE....3.Y.l...........HpJ.e@......?y..'~...n.@.q*@....Pm...uJ....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-R3KJG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	296
Entropy (8bit):	6.500966192845998
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teBQFMnlqsTJee5uicbPfZSyxX0GUd/eup:6v/78/nIQFMnkyf54rfsrpz
MD5:	1374A978134A935973CAF3CD4BFD5DD6
SHA1:	3A24FBE3ACDA81875702DE3DC013EA3C3B717AB5
SHA-256:	DF28F5437300E6BF466FED1E74E785D4BD205ADDB1AACCBB37F51E7FD79B9C13
SHA-512:	076C7993D4547042FF31C8560FC3C0A699C940CAC85668D9622E6B5F26F26C90DB5E395A1AEC0EEACDF842996A5D734FBCC310638C0D3E4C97E328419ED4000B
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`.&...<...I.....4N.6.?).d...7...2..{..YC...a5.b...h....A..GX1H...(6...d...p....$.^.........w.<.....@..]XJ....K...(.....X^d.2......R..G... .k..^.j....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-R5PJ1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	414
Entropy (8bit):	6.921441707444873
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teNq0dooGB9bqqTLPolIae+w2iYjDbg2UOj93OFo4wrbp:6v/78/nilvunTLseF2iYjfg29VOFS
MD5:	6D7B39EE6BA125324EC0457FB8B1CF30
SHA1:	E7B708B0D544F6B3137AB7E06914C8F318859DB3
SHA-256:	7A9A198F92900BF042FEDB164367091853F9E3517B389197234889E68A05B04E
SHA-512:	14CFE6B76479E2BD27E8893E2096B1A27B9B8726E3D70F64F163BEAD669E06D793AD176DF19073ECD5D491E7386A66F74E7AE8734DAC56DD292E401BD2382033
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`.T .q....U.Sk6.'.a5...o..............dHd....W...0s...E+)0`.. .IrA.P....h.y..v....Y.......gff.1H....n.O.^.6..I.e#;.....G. .....n3.v...Ov.1...@..0 .a.........S...a@$0.;g.B..f.6..x!...}.!..t\|........#...+..._..?..dL(.a..v.O...}.......F..8...P.3A6.'&..P.....e.K......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-R93VO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 17, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	362
Entropy (8bit):	6.744489136613283
Encrypted:	false
SSDEEP:	6:6v/lhPOtBUswMR/C+wZA3teVVIqGKvSdmD4lK6mj9I4OPDWwnqtzzfQ27r8aCwt2:6v/7K2sb/nK5GUonx4NMqtzzIorTtxdu
MD5:	0BAB4FC0FAACC30AC714DB34333BAA54
SHA1:	C5AA05973E3267D60F2C927AB67B16FCE8929118
SHA-256:	4E79FBF438C1F6B197D15B08619BCCF862E7076D11C75D0B9CE3007711D94347
SHA-512:	06B09980DB26DA14FB0E80EC2831A9B377112E97EAEAFF967221170A5E3D7FE70B940CCE934629CE0451D41457F1705D76B1E64181D8A9D062FA0C4BD77E34AE
Malicious:	false
Preview:	.PNG........IHDR..............,.....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc`.6..Z......7c...x....>\|.Aj@j.......`....;...F6.l.....@...A....R.3....g..f.......@.+p........R.....i.:r...Hid3(.Q.....6.G...*.#...>!`...j.r... K@.a...?r4"kD.Z..h......x..B.^......D.....`.@5..n....5.r.>y.E.".........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-T98DN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	331
Entropy (8bit):	6.6701546506374205
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3teRZQUgXtmGvGDJ0IkloKlVJjh60HEwTp:6v/78/nGboZvGDQbRF9
MD5:	CC83BBCB39E5B47545CBDFBABFE69864
SHA1:	C2EBFD1842B6877B69F32E00AE7A55BCFA063802
SHA-256:	71197BC1C1D20F42851D4F5ABD91CD47D6C52E9C0100CEC8FBCC57B2E515B4B3
SHA-512:	929369F0D508A6326C0019701CA56E4694109DF2D2EE5372B6F2227F16E7FAC367263CF4065E8E493CC2D69129C116D582076040CBC71A70AF4CCD128BC62165
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc` ..t.>....9A.@E.../...b. ...`..H...Ob..).j...?.q..........0A5&!..r..T\|1A......c.Wpj..R....I.....4......K......@z....4......../ ?.;~..o.4.....(.......E%z....J.@J@"..r.....".#....4.........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-TAKP2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	337
Entropy (8bit):	6.603752167197913
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+wZA3te+/CG3J1R7/1JrZywu9ym9mmAivY6Ppmj/jp:6v/78/nfCG3JHVywuUm9mmAiQ6Bmh
MD5:	58280774747B0A7F0CA8B29DACA0B917
SHA1:	0BEEDF45E1CC739DAD3886AD1532A05BDFD2A3E8
SHA-256:	A7FA8ED622AECB52E7FDB363B32CC44C3A6FF5837FF78917DD177DBBE15B7DD6
SHA-512:	21FCDC686E3B700753E975C7A78884E7C0EBAF0ADABF13152B199B97F7F1F6F8FBAF1295ABDA7E2FA5D81683894EB280C1AA92E6695AEA56A289E9F17AE4095E
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r.....IDAT8Oc.....?k1Y......g...s.!.......h...,.........3x..k`>.F....`.P.S....7..O`.A4.}'.]....`..`.@4Lq..`.@4^.`....X.!..r@b."r."..l.r.P/.T..$9!..].//XG...4.\|.........4..'h.H...........CK.Tl.u....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\facebook\is-V94N9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	459
Entropy (8bit):	7.157014739512398
Encrypted:	false
SSDEEP:	12:6v/78/nhHoLgTdcsOkCuZ3I6xhC3kTGtjzx7:XdXau5I6pTi17
MD5:	73A35AA153A7310E1DE170CE339F0242
SHA1:	85016176CB165872D08073CB27F23600599F338C
SHA-256:	1B7F27805D3486ACC7D96371EA3E91436D9347D7D0E70ACE883E54BDF8ACCA40
SHA-512:	2EF8B50F7FB23D219DF2AD666665A90C18E83DE24685DD17107F09100E493611C480EC73CBDC3B5CFC07B6FE60CB74506E08F01C9C9144A1A1AD541AD6B6F36F
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.100.r....:IDAT8O.SAr.0.._...<.+.-?(\..v..!QwW....Pf48...Z...w>..x....{\|..n.X.Y....m.....g..........._.. .+.~..Y.?Z ......D..C......J..n...B..a.l...............,F..()`....... [ND9.n....Sr... .....ke...'...!.K...y..TFSz.=....2.....ZQ..K...8..=.8Q@.Y.Z..y.D.a.\|...(....G.0.)...g`<D.....4TA_4u....N.zp.OF....\...#.N.......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\is-S29KA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	859
Entropy (8bit):	4.858296034006616
Encrypted:	false
SSDEEP:	12:Ty3COfcKd063/4Ga1rmWCdmr1gm+amVyxpgmkmAEnnmmImC4dmEnq:+kKGQiC5Enrq
MD5:	4A6A1B208E79D27168441977D43897FC
SHA1:	FAE08C5EF8DB510F634E46623AB09C63EA9C3F8A
SHA-256:	F2B9D0C45FA2A9B15BB9694C26BD75B45B4E011B99D80604D2984C0F856B2AD9
SHA-512:	79E43D69F7973750B534BDE680380BC912B906F3D3D848255BA3F8ADE4DC7FAD460CD0FF14230AEAED4285F291D6510AF57FA1F9876ABEFDE1F6D56890B35D03
Malicious:	false
Preview:	[Welcome]..ID="facebook.com/?sk=welcome"..[News]..ID="facebook.com/?sk=nf"..[Messages]..ID="facebook.com/messages"..[Events]..ID="facebook.com/events"..[Find friends]..ID="facebook.com/find-friends/browser"..[Invite friends]..ID="facebook.com/?sk=ff"..[Friends]..ID="facebook.com/lists"..[Friends List]..ID="/friends?ft_ref=flsa"..[Groups]..ID="facebook.com/bookmarks/groups"..[Settings]..ID="facebook.com/settings?tab=account"..[Security]..ID="facebook.com/settings?tab=security"..[Notifications]..ID="facebook.com/settings?tab=notifications"..[Subscribers]..ID="facebook.com/settings?tab=subscribers"..[Apps]..ID="facebook.com/settings?tab=applications"..[Payments]..ID="facebook.com/settings?tab=payments"..[Facebook Ads]..ID="facebook.com/settings?tab=ads"..[Gifts]..ID="facebook.com/settings?tab=gifts"..[Privacy]..ID="facebook.com/settings/?tab=privacy"

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\is-TV197.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	159
Entropy (8bit):	4.674458029739085
Encrypted:	false
SSDEEP:	3:91A2vTzyosXO/ovsh2vJ5Im5B9gHovNRN4o6bHiys6SIFv9oc:91A2vT+vm/h2v8ARNmi/6S+v9oc
MD5:	6BD299C4CBF0029EA3F2F85BE0268693
SHA1:	D45F93594FEEA321B778C691051CE9B47D13D480
SHA-256:	BB9DBEEE227D18FFB6BE8AE4C33D681CC8A04FF1120F69EBF73E98E4302C6051
SHA-512:	7EEDA815F4D91D0B588DA4B0F3EFB222CA189A8E42333B1664EC9520FD1BA68EF80ABC9F4B965CD5657A0334B8AED2C412DC79CEEF9EC34867CC429A51C1E95E
Malicious:	false
Preview:	[Guests]..ID="ok.ru/guests"..[Marks]..ID="ok.ru/marks"..[Friends]..ID="/friends"..[Photos]..ID="/photos"..[About]..ID="/about"..[Profiles]..ID="ok.ru/profile/"

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\filters\is-VOO93.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.685024049706956
Encrypted:	false
SSDEEP:	3:QRUXdrx9reugHovdMTaW4/d1amqKL946WImgK4/d1amqKLrjM+n:KOdrDeaMB4FQ7l9NgK4/dQ7r+n
MD5:	CFA4D0ED34E826F2A6A243ADCE69C272
SHA1:	F4C7EA1EFC0FD6A61706120C4BF66452418805EC
SHA-256:	9202BF8E81E98F492F5610A2F67E6CF8882890484F0F8E7B43EE9DA2D2372B70
SHA-512:	66663614DCBBC9E62E91A2B34B1518AD3EB7C78C39F8DA9523F1D17A7CBC3000EAC7F7373A698BF9F76A3B395EB857393225E4E77216EBEE06C83CF0D871FF88
Malicious:	false
Preview:	[Messages]..ID="vk.com/im"..[Friends]..ID="vk.com/friends"..[Notifications]..ID="vk.com/feed?section=notifications"..[Replies]..ID="vk.com/feed?section=replies"..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\is-0RFLO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.314915181326778
Encrypted:	false
SSDEEP:	3:LqRlJbXyi6AA:2lBrA
MD5:	D584582812D6A2E882BE885DD27E18E5
SHA1:	388346E2897C7849D8F7E38A2450377023503257
SHA-256:	63B34D170783C35985AB770AA19CE31E5AC8C90899423BE3A587B1CF17D417B8
SHA-512:	C057ED6B8AD5DB53BD6D4FC556E03F3D6607D06A35D4FE91BD16B39E2DC9822FC7F1C740BA89297D31F645047B7941DE1501115ED2159180BC41B4B37C9F1D83
Malicious:	false
Preview:	Facebook..Instagram..Youtube..Twitter..LinkedIn

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\is-A6QLS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2361
Entropy (8bit):	5.086790461308817
Encrypted:	false
SSDEEP:	48:lkYaqeR/Mfg1mg6kL33dMLoXL2MK7hWNPE0hx8wgOV+U3DkROxPDv:ukgEEx6O+m+YPFYyJ
MD5:	C846DA6EDAA3DA7B84D7C275232E7113
SHA1:	48EFA8A9F71BA06A8AEF67786F234CCFF43EBFF1
SHA-256:	4AAEB9FA982ADED9CE384AFDD72AD2D9F25F4D4803D29936D86F3836F71ED323
SHA-512:	69259712A33EEAAAB99503C95E8F5F5614ECBD300065EED89181A26DFF15621F69D7B995212EBD6062A739C0A05B0BFED11E5B367AE91A6D80895519F75CA455
Malicious:	false
Preview:	[Facebook]..ID="facebook.com"..NodeID=31..msgID="facebook.com/messages"..SearchID="facebook.com/search/results.php"..QueryID="?q="..LoginOk="facebook.com/?sk=welcome"..[Instagram]..ID="instagram.com"..NodeID=68..msgID=""..SearchID=""..QueryID=""..LoginOk=""..[Youtube]..ID="youtube.com"..NodeID=69..msgID=""..SearchID="youtube.com/results?search_query"..QueryID="?search_query"..LoginOk=""..[Twitter]..ID="twitter.com"..NodeID=33..msgID="twitter.com"..SearchID="twitter.com/i/#!/search"..QueryID="#!/search/"..LoginOk=""..[LinkedIn]..ID="linkedin.com"..NodeID=35..msgID="linkedin.com/msgToConns"..SearchID="linkedin.com/search"..QueryID="keywords="..LoginOk="linkedin.com/home"..[Myspace]..ID="myspace.com"..NodeID=32..msgID="http://www.myspace.com/my/mail"..SearchID="http://www.myspace.com/search/"..QueryID="?q="..LoginOk="myspace.com/home"..[VKontakte]..ID="vk.com"..NodeID=36..msgID="vk.com/im"..SearchID="http://vk.com/search"..QueryID="[q]="..LoginOk="vk.com/id"..[Odnoklassniki]..ID="ok.ru"..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\ru\is-6P1I1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.327066369049407
Encrypted:	false
SSDEEP:	3:K26WLRAXXRlJ6AA:b6WL2XBldA
MD5:	CE9D18D694ABDCAC70A411D4D97C0231
SHA1:	F12E3CBE15AF7D09B9733E08C8CA2A7B8B934DBA
SHA-256:	BBF1063DC08DB46AA6A44034E46B917D3F0A7F95668854565EBE8DFE2B0CD7C1
SHA-512:	245E456B408CE7E7428F96C293E0FBABE1FFF54B0A877EFE9DE18F49B0D52CE5A361E250FF8122EE07EE7CE276D56DCB5865339CA69545034726699C6315A7FE
Malicious:	false
Preview:	VKontakte..Odnoklassniki..Facebook..Instagram..Youtube..LinkedIn

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\zh\is-BMDNJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.289760053836067
Encrypted:	false
SSDEEP:	3:GAwEHRlJ6AA:rldA
MD5:	A93742C5D8E593F07A5A9951CC0C9B8F
SHA1:	775714482966FE1FED5185AC0C73A6D44255AB29
SHA-256:	A15CF44B89919588E0C5D703E83C6E2D4E74C4F47D76EEB3CFB8CB6AD9821A5E
SHA-512:	C4899FB5BA32AE6D60D2AB9D0BEF08D05C0B9789969FDD4C015CA9B07B655183F2C70565EEED9A76FC915DCF80149961CBAFF7240F059331A7A872897E5BBEF3
Malicious:	false
Preview:	QQZone..Facebook..Instagram..Youtube..LinkedIn

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SearchEn\is-6QJEI.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	404
Entropy (8bit):	4.9066631019386255
Encrypted:	false
SSDEEP:	6:q3kkHkVMKScEhBLLPWKBFHxpZ8FEh6XQcU0socpvIEyyJFnHn:qhEmuEhBHTDS+Ifcph15Hn
MD5:	FFAACD55763032BE618C56FA855BA5B7
SHA1:	93F0606D9430762F5CE2A5D33D34B31D07F3D16C
SHA-256:	E381EBBA081525B6BE7F1861350B751CD85764255A88974F4B653D405E96304F
SHA-512:	D2938F0050162A8D4D1BAD84EFDA1A1843C86D322B1763020BAA87821FDA521FF86B2CB67DC5A2643BAA62D823A3EA56B5BE5C2F834A617A7BD68E34443BD0EF
Malicious:	false
Preview:	[Google]..ID=".google."..QueryID="q="..[Bing]..ID="www.bing.com"..QueryID="search?q="..[Yahoo]..ID="search.yahoo.com"..QueryID="p="..[AOL]..ID="search.aol.com"..QueryID="&q="..[Yandex]..ID="yandex.ru/"..QueryID="text="..[MAIL.RU]..ID="go.mail.ru/"..QueryID="q="..[Rambler]..ID=".rambler.ru/"..QueryID="?query="..[Twitter]..ID="twitter.com/i/#!/search"..QueryID="?q="..[Baidu]..ID=".baidu."..QueryID="wd="

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\is-CJKIT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12672
Entropy (8bit):	4.945624942122352
Encrypted:	false
SSDEEP:	192:PEOFXvauPDJG6oOmEvV8OOdc4QlyjzOsXY7g0jCsSbC2FRSnK:8OhvXFG6oORVzf4Wy3YjkbCORSnK
MD5:	EAB386B915F70A4A1F89FE9FF6869FE9
SHA1:	C4FAAEC24E3A335D855347DFABDA65D667FF45AB
SHA-256:	A0BB8DA59EA887B970CAB6DDACB14D3982A04D40FB40C391E7C043E0B48C940C
SHA-512:	FBF63960ADE19D872597158E99DE499C7DC080E64E2B7F921D8A3BB96A0A77018C8DC0B0DD9E8B8213F06BD6B5F5279DBC5180DC39A1A64D55A3F503B17B307B
Malicious:	false
Preview:	.[Social Networks]..0=facebook.com..1=myspace.com..2=tiwitter.com..3=linkedin.com..4=bebo.com..5=friendster.com..6=hi5.com..7=habbo.com..8=ning.com..9=classmates.com..10=tagged.com..11=myyearbook.com..12=meetup.com..13=mylife.com..14=fixter.com..15=myheritage.com..16=multiply.com..17=orkut.com..18=badoo.com..19=gaiaonline.com..20=blackplanet.com..21=skyrock.com..22=perfspot.com..23=zorpia.com..24=tuenti.com..25=nk.pl..26=irc-galleria.net..27=studivz.net..28=xing.com..29=renren.com..30=kaixin001.com..31=hyves.nl..32=millatfacebook.com..33=ibibo.com..34=sonico.com..35=wer-kennt-wen.de..36=nate.com..37=mixi.jp..38=iwiw.hu..39=plus.google.com..40=vk.com..41=odnoklassniki.ru..42=pinterest.com..43=livejournal.com..44=meetup.com..45=blogspot.com..46=tumblr.com..47=instagram.com..48=blogger.com....[Dating Sites]..0=match.com..1=plentyoffish.com..2=zoosk.com..3=eharmony.com..4=singlesnet.com..5=okcupid.com..6=true.com..7=christianmingle.com..8=cupid.com..9=datehookup.com..10=chemistry.com..11

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-09CPG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 197 x 285, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76673
Entropy (8bit):	7.9848305082884155
Encrypted:	false
SSDEEP:	1536:MAid3jb4CBlw8s1Q/03i/NRj/CWM9oLMqFAT5/EUx:MpoC/l703mx29ZwA9H
MD5:	3A12AA38DC04011E4267D84F9DF29A16
SHA1:	DB2B83756D27969D5701F20925A023B282B2212F
SHA-256:	16F1E3749736EC4BC63E0E64474FEDFED96468EE5901D1E3DADD3490C2B72380
SHA-512:	51A27A92771E6D2475A0B13965064A2C0BD4F9074E4CB344CBFFE046189F5B3A130321C7651C25F37BF66CF312D8A953B77FC4CE99F47C55A2FB63603D8CC47B
Malicious:	false
Preview:	.PNG........IHDR.............."......sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....pHYs..........o.d...yIDATx^..t........$.L..43w.....,[.$..B.d.-...................]V.J.......Y_...y..?..O.~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~........<.j.q.......tq..K.Zu.V..>..}..}..........7.&~.b....5.js....x...T\.s.`-.w.............M.'........o.......4.#...._Z....GuSF7....]>.'.............n....;.../..>\|XN.<i.../...kr..u.u..sg.~...?.O?....B..)c....L...7o........+r....y..wO...._n.m.@.>..u......J?...\|.f....)...................t.....k......`.M.........o.....O......X.2.S......\|..G.....ic._.p.G..S^_s..}c..k..5...@..h..U.Z..-_S....\|..R.Ycy.+..2...}..cm..@................;..6;^M.....Yc.).......1.....$T..<...I...>W....k......(..-...p...'....S...\.........F7o..6~]...,(~........f.v.zat#.&....\|}.....O.4...K..,T.#.(9.........x.@.7...Mo......(-...c#...O.....EM.a..OB..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	330752
Entropy (8bit):	6.515569416355077
Encrypted:	false
SSDEEP:	6144:67uz8VUGgQvLpVZ0hRBbV94fT5fyEH1iiDDR/WzdHAjdqqI4PFtK9S7/Q0RHK9mo:uuwUGggLpVZ0NbV9CNfyEHAiDDR/Wzdt
MD5:	CB66A1FEC9236CD46E2A3E5A00D887A5
SHA1:	531113059786F73A8C2376E08A12E62970B41E51
SHA-256:	73234A2B168E2CA92B2E09346C48FB85CF10085FAF76D7923257986B3F528E1C
SHA-512:	F5E3AD6B8FD6DCE55C0596BAF6961F86CD98598075899C02FB0B5C32FAF26FEA80C7C348C08D5D5FE41D89D61D869CF27AB230962A896D085206A895881CD926
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hN.. ... ... ...[... ..q.... ..q.... ..q.... ...!.>. ..q..>. ..q.... ..q.... ..q.... .Rich.. .........................PE..L...L*.O...........!.........b......+........................................`.........................................p$...y..<.......8.................... ..D+...................................u..@...............P............................text...P........................... ..`.rdata..@...........................@..@.data...D\.......@..................@....rsrc...8...........................@..@.reloc...1... ...2..................@..B................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1274880
Entropy (8bit):	6.836546460752662
Encrypted:	false
SSDEEP:	24576:te0Xn1+KpPCrpxqqyfATvxlLVNqRadDqef2BLbIEnp1VWMVRdzd:tJ0frxRqRIDXfuI2p1FVRdzd
MD5:	D66922B7D10F688564B1CFB25B2681EC
SHA1:	E97422EF6B23366FCD196DF334BD111FEBF2E880
SHA-256:	E0E0697DBCD35C5C8E6E0E19C8A4186F7902D95227E8D7C0AE1C90E0E56370A1
SHA-512:	5BCDB4D574E95B699EDEC336CA596C1D9446A648D27AD2B32E0D5C14F301F2EF783AE53062D9FE9E6FA956BF04A0B4F4F1B845B5194A72B2F9EAED4D9E9C0EBC
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..v...v...v.......v.......v...w.>.v..=....v...v...v.....r.v.......v.......v.......v.Rich..v.........PE..L...L*.O...........!.....4...\|.......].......P.......................................%.........................................x.... ..8....................0......pR..................................@............P..4............................text....2.......4.................. ..`.rdata.......P.......8..............@..@.data.......p...p...T..............@....rsrc...8.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-5A3UD.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	324744
Entropy (8bit):	6.473798658510248
Encrypted:	false
SSDEEP:	6144:a828zsUNQWVC9fKL4qz3fsrtP06Teim888888888888W88888888888bl:LDsUGWiKLxPsl06Cim888888888888Wc
MD5:	7951CC50E5BA5872D0F8625B381CF9EB
SHA1:	083AB8B75B69E4A3019CACD15F78276819075B3D
SHA-256:	4D6A55B6BD26B425F1819197711354B44522668891726C4204ED801B79CBE004
SHA-512:	6F4D7A9D15A4DD44EFB37674DB4C2194E0C1AD1801BB5C134B08990362363140E586A9824FC19618BB883BE713E2073D6210AB43D7DA39F52B3E40FAC1E818B4
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......[.....................$....................@..........................`.......................................P.......@...............................`...[...................................................B...............................text...T........................... ..`.itext..0........................... ..`.data...\...........................@....bss.....O...............................idata.......@......................@....edata.......P......................@..@.reloc...[...`...\..................@..B.rsrc................>..............@..@.............`......................@..@........................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6ADBO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3255944
Entropy (8bit):	5.854777420491995
Encrypted:	false
SSDEEP:	49152:yQU+tbjuqCAsJ1Cy2KENzs0YGhEyP/FxRkvjhRQSNbJd/g/M:3bIV/D
MD5:	66D5C7CA9D59F4F6F51907CBC2C9A5E7
SHA1:	5485C5E4D4D6850CB55E71352A154382904D7A1A
SHA-256:	54FBC9B939BC532D3013343972776BE63AB4B900EEC9AFA6142A437799D67F12
SHA-512:	7633D9A008D6304413F62FD01666716FBF109C01DB911F72086B71856E2FC3F957296F88CE0A05D6689B217C89E0107AC55702FAEB57ADEB828E9792EAA7BC8E
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...RH.]..........#......f..,.......s.......@...............................2.....?.2..............@............... ...............0/.\.......2F....1......`/.PP....1......................................P/.(...................@........ /.....................text....e......f................. ..`.data..............j.............@....bss........0...........................idata..2F.......H..................@....didata..... /......T..............@....edata..\....0/......b..............@..@.tls.........@/......d...................rdata..(....P/......d..............@..@.pdata..PP...`/..R...f..............@..@.rsrc.........1.......0.............@..@..............2.......1.............@..@........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6T4M6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows 95 Internet shortcut text (URL=<"http://www.spyrix.com/purchase.php?from=sfk_uninstall">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	79
Entropy (8bit):	4.85878102769076
Encrypted:	false
SSDEEP:	3:HRAbABGQYmjziJS40dyTKVQXGNErnVIXKobn:HRYFVmjzic40dyTK6XaErVI9
MD5:	0CFB81BCF9D748F4FA82315851DF3994
SHA1:	997142DDFCCE97249BFF78E3AA5CC22BA5A27895
SHA-256:	43CD0ADA031349AAB522144EDDBEC4CBCAA74FE96F03543234EC55A178F77B7C
SHA-512:	54B129155C9449A684B208BDACC9056D188C14F62E2DB1FEC75E252421A6C905C99648A1BAEAF28F184C2BB3035D42C7BD0CB7DB28BA50265B84D06715AAC7DB
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6T4M6.tmp, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL="http://www.spyrix.com/purchase.php?from=sfk_uninstall"

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-98PHS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows 95 Internet shortcut text (URL=<"http://www.spyrix.com/spyrix-products.php?from=sfk_install">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.920531868608183
Encrypted:	false
SSDEEP:	3:HRAbABGQYmjziJS40dyTKWV7GGWyXKokJr:HRYFVmjzic40dyTKWV7WyuV
MD5:	5691CB02970E3D46042CD411DDD33C42
SHA1:	5F98A89B9505821B32D1A9B9362A9A8881DF2790
SHA-256:	9C16F6639225765BAA8F23C7B37724B0B3E4837B41F90F612C81AEEDDE79CF68
SHA-512:	A36A6B642A23CA333055602214253D4616FB94CEFC3A89614AE8FD314D93E7887B4FDFD394C9D60BA1474A5AE4EF45EE5639E0F84197FBD4D25CE896FDEB29A6
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-98PHS.tmp, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL="http://www.spyrix.com/spyrix-products.php?from=sfk_install"....

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-AFJU2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5197960
Entropy (8bit):	7.987905613584196
Encrypted:	false
SSDEEP:	98304:OLop0/ZuFkVsCuE8ZeuZyfNBp325ofbpYkEOJ9mWtTFoflfGefNhojiWSSJtY:6iF4sCJgGNj25qbekEOPniNvjDnSJy
MD5:	B3660FFBFB44E9C85287E9BF41126C41
SHA1:	5C959301DEF53C3B1915FD4ED93A8679A15B73BB
SHA-256:	097F6D50DDD1565D6F13E8675C533EBC83206A1EC2EB7E88F8CBEF25F2767F19
SHA-512:	8E583DCB02FC64C70490DF4A2EFB9AC3E99C2E6C197A2067A551A9D4A0A14D4D73A871437C033B290D51ADB9211E353F9349F9F02183F911B587577735A6EC99
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....H.]..................D.F.................E...@...........................".......O..........@..........................\|...\|....@L.$............8O..............0e.......................................................................................D.........................@............0....D.....................@.................E..t..................@.................F.....................@............P....F..H..................@.................G.....................@.................G.....................@................ G.....................@................0G..\..................@....rsrc........@L..R...0..............@................0e...).................@....data................HH.............@....adata........".

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CIA22.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	472200
Entropy (8bit):	7.7873657676638235
Encrypted:	false
SSDEEP:	12288:371h6fR7jmI888888888888W88888888888ZAj5YDipXjATWA91e7YvtrnB0:Ym82ErtT6
MD5:	E3B46D53294CF1AA1FC45441D16AFCF5
SHA1:	6A138606CDA29DE3A19FABEEA5B78A73E8BFC059
SHA-256:	20D4BCD662E42C436AF424E44D663511D85DCBBA52FB12E1524EE1FB3E3C6810
SHA-512:	73DDF64994025A757B14D28F3FB2A42BF17E5AEB87C72C22A96E7F541C9A133296FA8D0D2F145587FF16565F1290E9FAD1BF517C6200083624A6F3D26EB643DD
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...jx.].....................(....................@..........................p.......X...........@..........................\|........................................................................................................................................f..................@........................j..............@............ ...........p..............@............`...........v..............@................P.......v..............@................`......................@................p......................@............p.......4..................@....rsrc...............................@....data................Z..............@....adata.......`......................@...........................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-D44HS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	826775
Entropy (8bit):	6.520580307753605
Encrypted:	false
SSDEEP:	24576:QJCoOO8Mh2X8Vy0JHfv3kDpigeLKh2R6fFQVp:QL8MFVym/kDpitLKZy
MD5:	16A1612789DC9063EBEA1CB55433B45B
SHA1:	438FDE2939BBB9B5B437F64F21C316C17CE4A7F6
SHA-256:	6DEAEC2F96C8A1C20698A93DDD468D5447B55AC426DC381EEF5D91B19953BB7B
SHA-512:	D727CE8CD793C09A8688ACCB7A2EB5D8F84CC198B8E9D51C21E2DFB11D850F3AC64A58D07FF7FE9D1A2FDB613567E4790866C08A423176216FF310BF24A5A7E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...TM<W....*......!.....j.........................a.........................`.......#........ .........................................x.......................@/..................................................................................text...,i.......j..................`.P`.data................p..............@.`..rdata..............................@.`@.bss..................................`..edata...............f..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...x...........................@.0..reloc..@/.......0..................@.0B/4........... ......................@.@B/19.........0......................@..B/31..................j..............@..B/45.................................@..B/57.................................@.0B/70.....i.... ..........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EUIQT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1648776
Entropy (8bit):	5.9914945464763925
Encrypted:	false
SSDEEP:	12288:JpRZoV6Zzv8Grwlypy/JFzMKwjJjWGtN0Tev6WToMGAfD50jblsQnaGtpi7X/:JpkV6mtep7ToofD5vKaxL
MD5:	7BAF7CE326C3DF528A0EA60D1576270E
SHA1:	20DF9CDF2C72991BB241E4CBF75F490B47D375BE
SHA-256:	BBDB300AB994A6816731F75AE26003D7A816832F40F7C081F1AFE1174DA41B33
SHA-512:	22B96E50770F343C5F72CBBC15BDD663B36E36231864DF0107CEDA787A0FF99046BC974E4EE0A594DBD4D71962716A91E9818EDCEB4D101D4450EEB699101ED2
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....S.........." .................g........@...................................................................... ...............p.......@...........&.......1..................................................................`E.......`.......................text............................... ..`.data...h...........................@....bss.....................................idata.......@......................@....didata......`......................@....edata.......p......................@..@.reloc..............................@..B.pdata...1.......2..................@..@.rsrc....&.......&..................@..@....................................@..@................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-GGQPL.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.619226290054877
Encrypted:	false
SSDEEP:	12:0mUt6OsqaZCV6msEJ8jacUo4SPnHYNFlRpiaQF7PajRRqaqoPmUQxZAjnNlMze:u6qaCAMJOacZPmrLiFmjrhqxAzNize
MD5:	D14A0C814CF370B61E0957A0B27485B3
SHA1:	3FD380A223408E64AB6802DE5DCA17B460172443
SHA-256:	58D9CCE367D3F421DC8F5D8CF392CE5FF2941A784022ECDF3786FB7BE6755AF7
SHA-512:	03B5DFED784B982BC599B6ACBFF403E0A5DCE3777813CD99BD1809D4D426A66CF178F16DF885006AA3552E655CD0B18266938E90562CA652DDE5A2120C0FC0C1
Malicious:	false
Preview:	............ .h.......(....... ..... .............................&&'.(((.(((.!!!.....!!!.'''.""".....!!!.(((.''(.(((.%%&.........!!!... .....BBB.....................>>>..... . .!!".................................................UUU.................................................................................................222.ppp.........................EEE.............................................................AAA.....................................................................................................ooo.................ddd.................................'''.....................rrr.....................###.223.444.***.....................>>>.&&&.333.444.445.223.%%%.DDE.EEE.BBC.III.............qqq.555.??@.???.CCD.EEE.EEE.EEE.GGH.TTT.UUV.SSS.^^^.............MMN.JJJ.SSS.{{\|.[[\.TTU.UUV.UUV.VVW.eef.dde.dde.```.................................^^_.dde.dde.dde.ttt.qqq.qqr.lll.................................iii.qqq.ppq.ttu.^^_.....zz{.zz\|.ttu.......................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-I5RK2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1233137
Entropy (8bit):	6.374781764759289
Encrypted:	false
SSDEEP:	24576:3tdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5JTx912:dqTytRFk6ek1vi
MD5:	A4DAA23CF20143E751CAA516B9AE610F
SHA1:	0621574ADF3D835A75C353C8500AE155E3F203CC
SHA-256:	0A03D7CC4768814A2738287D2AEA5BA421FFDC84EE5FCB1724A757F60B7F7119
SHA-512:	F6A50B9CEA401514317E96792E992E31086BB92A32678E82941C709690272FDF79B793F01DBD3EA948CAA4E5010948A92143677419438C8AB7CC33A7A3E85A9B
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W.....................z......l........ ....@..........................@............@......@..............................@8...0..H.................................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc...H....0.......l..............@..@....................................@..@........................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-K3O8Q.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	38533120
Entropy (8bit):	6.659117982180381
Encrypted:	false
SSDEEP:	393216:lw4FxslQp+QsIjKvL/RouclpOaPdvmtzzGnDHmgRBbxr5U0zvOaHxA2KZc4P9QpC:lw4fslOPKVouExr5U0zGaHxAJkuC+d7
MD5:	63C6697F6F8C4DE12A18633A65A6DD50
SHA1:	442715CE26B000A34E25DBE9BED05863C2488096
SHA-256:	2E92C42276AEA8D407AE41B3D8B63E6C39F33EC8D1CEEB4C632B54073B56BDA3
SHA-512:	50B6035BA8C2B4F871CD2CEF057A4CF21433999E6EBC2566DD92843D4F3DFFEF00198FA80F3D34424FAF049BEAFAFA637DB1FD061251A7D10FC82735E0313A92
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................&...>J.............P....@..........................P........L...@... ......................0..G........C...........................p..(...........................L-.......................................................text...h...........................`..`.rodata.L..........................`.``.rotext..............t.............. .P`.data...\|U...P...V...*..............@.p..rdata...k.......k.................@..@.bss........@2.......................`..edata..G....0........2.............@.0@.idata...C.......D....A.............@.0..CRT....4....P........B.............@.0..tls.........`........B.............@.0..reloc..(....p........B.............@.0B........................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10353408
Entropy (8bit):	5.542884102682375
Encrypted:	false
SSDEEP:	98304:W7bDem4+p8/3lVWTR+53KTXdqkePcAVCq6zpe3l7iV6+KIgl3zK7rHL9SUFAFdA:Ws/3nshq1h0rL
MD5:	B50566B4968276818CC5F54FCDED39CB
SHA1:	222669C00B7B661252E64484C0EFD0E1E7A57B07
SHA-256:	DEBEAAAE2D1F54C6C9FF883F4C150018150771B0693F9FCF3B094712C4E906C5
SHA-512:	CF9F3214D3B740FC1B69DCDFC9BB6EFB99BDF4EF98143485750945E757990DF14188393F9D044F64A89762206D96C076ACA01089B674830E0FA531A945ACEFA5
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....f.].................(..u........,.......@....@..................................e...........@............................!..>....$..{..........x........"..... &.......................!.....................h.!.t.....!.&....................text............................... ..`.itext..<*.......,.................. ..`.data...X....@.......,..............@....bss....P_...0...........................idata...>....!..@..................@....didata.&.....!......N..............@....tls....<.....!......R...................rdata........!......R..............@..@.reloc......."......T..............@..B.rsrc....{....$..\|....!.............@..@.debug..uzz.. &.uzz..h#.............@..@........................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-RI0H0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 7 icons, 256x256 withPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 128x128, 32 bits/pixel
Category:	dropped
Size (bytes):	116307
Entropy (8bit):	5.552921189972054
Encrypted:	false
SSDEEP:	768:rOj1zrFRs/Mf91BkUfHm5Ly13tWtSSSevTFGzwnyTI:g9rFRs0jG5Ly1dsRGWD
MD5:	FF4995F432702E328871336F2EEED6B4
SHA1:	07694E3E05D29A4C8306EA31CED768FB479933B5
SHA-256:	875E4184866161971D793B69533EA40F658056436BD97A4A39DE06709BB8316E
SHA-512:	0EFB20C26E5319081E0B70645D60FC034F6D0A2F4D92957F3DF9F7BCA5863AD30CAB4778545D8296D46C2C26B4CD364C40BC894E1977DAB4C8447AFAF79ABED3
Malicious:	false
Preview:	............ ..3..v......... .(...s4..@@.... .(B...<..00.... ..%...~.. .... .....k......... ............... .h........PNG........IHDR.............\r.f..3.IDATx...\TU... ." ..n (n.i.......3....7.\s..PS..VK+.LK.5..TRS.-...ET..Yd..~...@ 30.;..~>.3....s~.9.y..h.......f.....M..{.W....r..X^n.......#..Q.....1;~.....q.Xnnn..[.~._.....d.......u.t.2.Ypp....'.?.h.oNVV......^... ...m\\..........s.23..y..N...z.kU..e.usmP......Luuu._PP...l.W........[.{L.....)...;n..........U2.&O.4.V.Z..........7A....R.A.......P....}tt..M.7.l.m....7{8::..~..{..O3=A..X..W'....$$$...._.:z...s.=...%..........e.=>......>.r..D..#..N..k.V.y..._..k.?g...\.r..co...6...!3. .p.V.&. ?/.....'m....dcs......+..?"3+K..E.V......b....4o....M.&......O<.......999b.. .."m!....+W.n.3j....S+......S.2.....>#'.A......3..........EW..<Z...:j.......N.kR..A...E.............7..^.......<3t..~..]R......Q.`..K.'G..v..v.......#.V.ZMF....j5M._C.}...n.......-[...9r.1.n...u...c....mz...4.......V..s.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-SKKKO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	975496
Entropy (8bit):	7.98084634156827
Encrypted:	false
SSDEEP:	24576:obtFZpj2ljrYXUqjEGgakp5qo26LzAkEQ9zdgU+:u7jjijsXUTaMqwPf9uN
MD5:	E0C9D91F9EBD2F3974B42B4DDFC1F6DC
SHA1:	56B76BFA6875DA1CAC0C07F616A01A5BD0215E64
SHA-256:	21DA0CEDA910271F37FD63B3E7C817DD01BCC733B4F691A35E640D3E21657F95
SHA-512:	09AC85D463F816BA4FD28FEE16ED36F4C79E59671C8147F13A0E29C66F482E8DDE8C00CF06261E744B8C53FBD3F4C4DDAB017C4803EB00E6AEC9CE776B797468
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.].....................4....................@...........................".....k............@..........................\|........p...Z..............................................................................................................................................@............0..........................@....................4..................@............`...p.......P..............@............@.......8...P..............@.......................................@................ ......................@................0......................@............0...@......................@....rsrc....`...p...N..................@....data...............................@....adata........".....................@...................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-U65EU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	[TIFF image data, big-endian, direntries=7, xresolution=98, yresolution=106, resolutionunit=2, software=paint.net 4.0.10], baseline, precision 8, 320x240, frames 3
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	6.729660321273714
Encrypted:	false
SSDEEP:	48:u8/Pc+/bx0uERAGX6j9UCqgD97QB2xdddddddddddddd5a:u8Hc+zlEJX6lQcW
MD5:	499B10F1F3AE7CA6ACFBA3735EE75F4C
SHA1:	D5CFC9E2DC00A443052765491A915A503EF9C800
SHA-256:	EAF22AE8407F8DD0AC9F4FA7885A2DA8AFE288B09B2C4B87F6F17C5D50F2A988
SHA-512:	F29D30CBB427598E8577606791AF3C8277391BBF1AD7964217EAF78B807A6DFC9B99846F128A5F23BE7A409A3F7DAD81F3E5FC9B2CD15C12742A98A45A7CDDB6
Malicious:	false
Preview:	......JFIF.....`.`......Exif..MM..................b...........j.(...........1.........rQ...........Q...........Q..................`.......`....paint.net 4.0.10.....C.....................................'!..%..."."%()+,+. /3/2'+...C..............************************************************........@.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-0MLD1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	52084
Entropy (8bit):	5.088144154341775
Encrypted:	false
SSDEEP:	768:ssSn8tDcYXyC+R+8tDcpzyA/mwMWGwI+X0IjuqhR2X4PUPgb5o69HPriWEudPiaR:sswX64zI
MD5:	23F3B31CDFBD1A8A1695D3D7E4EF9B36
SHA1:	A1B344F97F06F83DD818A51338B965793167F826
SHA-256:	6774CCE8D38C1CE308190456560DDDC892BB4845220D08622C7D89BA79A148CB
SHA-512:	145B093694165C40D4B951A2193BC573E57538D0EC6252A1C659B5258ACC327573803C31BC184196B5C0AEF372157878FFF76E7250BB2B4211BCA04A0488B3C8
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-3KJJ2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	50648
Entropy (8bit):	5.076966621667136
Encrypted:	false
SSDEEP:	768:s8SW8t+CiBkyKWm+YqBjLW5qoqKZmbOTJbwQzgJetfBq4z+:s8f8Q4z+
MD5:	927893BFF8C06F090F00A06389C24A42
SHA1:	EADC77D6AAADC171CBF54B81A41930912803AAA0
SHA-256:	37E18C594AA49F95B3CB800A7425EB6AD57FF8BAA97A523F971F8B9F77FC5F70
SHA-512:	1DA7CA2795A54523DE39475A40832088924BFC49DD194A25E202C38D84F9A77389DEC2E612667C0D036ED911F3136D2D23D52AA43C6251D712E43C470E1031C7
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-7ANQ3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	53088
Entropy (8bit):	5.091636989377984
Encrypted:	false
SSDEEP:	768:ss/Ly89zHebIrXWeKyggjmvOnaCwL9W1bd5JIyyFXMjjv0dp+ILGmx5BfQNCrli8:ssm1Gg4zO
MD5:	505DFAF995C4EA7441C48E99C6400772
SHA1:	26C112D3664663D7B9618D11D9BF7C893DAD3A1A
SHA-256:	6D87327F851810F5CC1844EC1A39ACC0390EFB02284094EC53AF1CD4CE8CA3B2
SHA-512:	2F190B4882D740DB06E90532905A6A0EEBC73AC06D581FE993254C0E23A46E7DAAD5F63D0FF643F258D5603B6E866D8AC2447F336F109116777AB49FD824D356
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f40\fbidi \fswiss\fcharset0\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-9D0EG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	40943
Entropy (8bit):	5.062621250408577
Encrypted:	false
SSDEEP:	768:pqeS48Um0GhbtabQhOsWx/LCrLXI1n8T2njX8x3Ftt4MfRMIq818Z/6A9i:pqKH+qIA9i
MD5:	E2D6C3DBD79C905DABE49F310F9A134E
SHA1:	072CB75BBAD6904B39757E423EEDA0F3CA9FA8D7
SHA-256:	0A9C5D645D90A6D3CA88495DE5D0410CE8456C6AF5C0D56E4F225B81CECC0069
SHA-512:	EEC29BB5020AE654E7A0DB369722B1AD8286D97288C40E009B26AD20A2A9CD661B5AE9CCFFF7629B378EFC98AFA505F933F36C2AF0A49E7C7FD35D3925B0BF42
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-A58E3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	52487
Entropy (8bit):	5.092431049148049
Encrypted:	false
SSDEEP:	768:ss/LF89zHebIrUQBkyKWm+2Ck4O6CFURooIniy+JcOerjj1oMUliJ/KK0KhKuiFq:ssZmQUw4zQ
MD5:	CBF3434F05AFD39EAF4FF2766C533BCD
SHA1:	A339CCBDD47201D50598801A53E979B0C0A52607
SHA-256:	0F58E6C26916B5B1E7A9E1130C8EC22A08A2500972446EC232901013C7645A1B
SHA-512:	2EB64B6B8625BF64341EAD806EBE07E3BCD954DEC97D50BD68E6990062C1EBAA7553EA2834D04291B4E103F28296BB1F4F5CA6182E143F07752AD375DC8C80DF
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f40\fbidi \fswiss\fcharset0\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-D10P7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	67619
Entropy (8bit):	4.97621427952205
Encrypted:	false
SSDEEP:	768:pqen2iXwdvjLJzrrrMOcPI0QhhiLVptabQhOsWxkMvxGx5QZTTH0qp9cy4Q7u8vL:pqL5UneNTH0v1TIA9w
MD5:	7F53203AE2CC7D84AF20C4C2561D008D
SHA1:	0F7B0C2FBE82B7DC43C0C06BD1CC425222E16D73
SHA-256:	14FB048622D3FA8069B77D5C63E4E2682E9C2083D3AAE314DFCF16594EF2DE13
SHA-512:	B7DE6147020B380A09E01B62865498FBCCCC0436B119907BD1F15BFEB18746EFB22C5C88D1146BF33CF96FFA28D32AD44C4336560E43E448F5270F08D426F6FD
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-D29QU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	34167
Entropy (8bit):	5.060082647909622
Encrypted:	false
SSDEEP:	384:p4ew9g0BnPz+p/zWFU48XTKjH2njzr8x3e9kl6YpXNEnysJQezqCdPcedBKfieoE:p4e548XTKT2njX8x3UW7U7vhezZ/6A9P
MD5:	67CFAF3E0373E3678B93AFE97714C9CC
SHA1:	67D9665DEC3734F04E4FE7F893FE12CF008769FD
SHA-256:	E47932F8DAD868BDFA11A27D4E6B6F5520D99C33FB574BB74D1FA4ED37DE33DB
SHA-512:	651811F016A6081D2913336BA4E1B7562DC3A65F7727005B25BC5F0B86C7AF97098C5AEC40FD42CEE43433B4F0036C64479A12C47D5A0A32ED42B656DE6ECDD2
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Time

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-DB525.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43600
Entropy (8bit):	5.089965856777119
Encrypted:	false
SSDEEP:	768:s8SX8tS1BOd5rXmgamSN4UIRop4RiHAhzIaq4z4:s8cWRK4z4
MD5:	A79752006AFB6D9A39FC512475ED8493
SHA1:	41B4CD12ACE830E94F30119B35317B7C3C49DAEA
SHA-256:	F0DEFD01327E90A5DCB72C78B1A1D0A875D39E43AC8CD1D2BB0E63B25465BADF
SHA-512:	003CEED560F76521D0457BE2CCD3E438E7100765A6ECA110AE9EE47B43FA807DB389F1B1E1C3D001FC170B38E211E46A4D280799BEE93DA79237B9BD9B34F812
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-FB1FJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	51302
Entropy (8bit):	5.092103345877651
Encrypted:	false
SSDEEP:	768:ss/LF89zHebIrmQBkyKWm+eCk4O6Cg2NjrOX/zJ0PfOyGlgOYBJiDBNBiOl/Vq/M:ssZdBa4zS
MD5:	E5A9141385B035A9DA437DD1F1083F69
SHA1:	A6959E190DCDAD51B46960285E8EFBE532648E7A
SHA-256:	F5F01449E3735132C0A835E6F6A6E9810BF63592073AD66273F6DFEAE36EB41A
SHA-512:	A7B6E252D2B28977A1C1699582BC66B40D99D4B18F47CA78BAFF8D5D0EED592FF6FD9E98E3C10658823A586244CA08A8EDD8A8B1B9B391881C7794E1F0C5EED6
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f40\fbidi \fswiss\fcharset0\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-GS84C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	54763
Entropy (8bit):	5.086159865228289
Encrypted:	false
SSDEEP:	768:ss/LF89zHebIrIQBkyKWm+2Ck4O6CFURooIniyl+n6S8aG+8Iu/wj5XvSTp5kiWz:ssZVpy4zU
MD5:	FE0FD5197CD49B1818CD102069665E64
SHA1:	313F0DF1F4B687043DAED9B1BB783BA36F8F1BC4
SHA-256:	787E3B3DBC3E1DE91DD2C786085ED70616AF51B843C56B88541B40601390E055
SHA-512:	B24055EE351C5973DF4C42D678A59F84EE4F7447AEDA49581413E97CBA59C0DF1F2E5712BC31C2F94FA399214208BBB9F1C6AE3EA6BB439728D1C5C5D156F96F
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f40\fbidi \fswiss\fcharset0\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-H1S8N.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	61090
Entropy (8bit):	5.061944824308056
Encrypted:	false
SSDEEP:	768:s8/N3CelQcu09coHJreOBnAF3vlmgaJnAF3vlmgaiSN4UIRopZMggLBbWmb8Sw1w:s85g+X4zR
MD5:	F233DF0C1E13DC0EC1FBC3DFE59E36FA
SHA1:	A032C4D543AA03D01A28518894DD066D8682CE2C
SHA-256:	B465F564E4A3FC70B8D12141C5CD4E1EA9C620D4B2A7A5DC84F54D8C5701F590
SHA-512:	13CAF615E0EEEA67CD8037106E7714CACD72F4A74CB53561766D6D7546E97F62A390BB09FD5DFA3AAE56499E13CD699E13684181443E4361BECED33D8D6E26F9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-JCQNN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	53852
Entropy (8bit):	5.077126010099254
Encrypted:	false
SSDEEP:	768:s8SJmeIQTmoQBkyKWm+mqBjLW5qoISN4UIRop1BBAvqJ6Hcrfvw4QJuyHKj3z2yw:s8Urw4zS
MD5:	23DB4F7C5A211C876D606B792A96769E
SHA1:	5747AB46CEB3A87BD87CCB5723BF07E0CFBAA73B
SHA-256:	6229BB6489019CA563DBF8F11CF135C4604A22014337F3AC3FF4E39FC3624E88
SHA-512:	BFF0AAFAF0C676EB9CA6DCF5278E4796DF778943493826C8B3FE8475125C9ADDC4F5763BC64F12B62398C1B77343669BB518FD0A864E83A80CC9F3AACE519A0A
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-M4U85.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	47686
Entropy (8bit):	5.09343273407686
Encrypted:	false
SSDEEP:	768:ssS88UAauxWSlSQ4KxTmlbyGwI+X0Ij+SN4UIRopfviHmdW0isCE35OAnelmHj/F:ss9Hq5F4zY
MD5:	D883A50756AA633B20915B68BDCE5213
SHA1:	B2B99E912B3F0D3E0DF2C90B71DE5C3316745E67
SHA-256:	E41BEF0E6F6FCAB4CC5749CC8066F4AE4EA50F19C518B644B86034BC0885CB32
SHA-512:	670BA488A0DEFF9B037CCCB22912798487F5FC02AFB84E9DF41E2D1DB98E39CF7BC608131B6D38DDAD8250E96F7A9900CCCFBEDA80512BBCBED055788DE8D72C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-PIHGR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	48225
Entropy (8bit):	5.096715936522922
Encrypted:	false
SSDEEP:	768:ss/Ly89zHebIrfVY9RtmIiRAN4UIRopxdRNudR5crHZi2drk7Y9mrjbmPObWPq6S:ssmpH84z8
MD5:	2598048BFC64A464E54D6B415A7303E7
SHA1:	6FD99F1B7BB146904F310EAA185C9BEF7794DB69
SHA-256:	70C7A754C1EABFA6640D343B1CCF2F773DED987C88AC8F90331AC7DBD1B308AD
SHA-512:	D50B166D6FD03868343EB90C549A7D0D6E6E72AB3A8C73A48E7FCB80AC17BD595BE237C7AEFEE47E1AE9BA80FA5C2DA9800F9A4562E7D99E7006EC89C626A2F7
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f40\fbidi \fswiss\fcharset0\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-Q8H58.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43013
Entropy (8bit):	5.090193363439038
Encrypted:	false
SSDEEP:	768:s8SX8t+yiBkyKWm+yqBjLW5qoFxbyl2Zweq4zX:s8cf4zX
MD5:	2519F9520A2AB950F74212172A0BEB94
SHA1:	BA0E1A1C41C867840AE63A677B053DA1118F886B
SHA-256:	E1A9AD7ADB8F8E6969D8F8522118371971B6FE01CD6248819CEBEDBF2EAE9CB6
SHA-512:	AA64B50E2570FFC247DB4D7D182F56A3C0010247AAC51D030AB554DA1A1B4D465CCEA6C50389610864E4B89E4381F575672D0A53018CE18483FAD26B021C1ECE
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 00000000000000000000}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-QOG03.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	79588
Entropy (8bit):	4.979859328003009
Encrypted:	false
SSDEEP:	768:p4eOev/+zl3C79k8thfqXMwANr1DZoLLXI1nHT2njX8x3Gj5g5V5V5h5G5P5N59h:p4+w60IA99
MD5:	BFC11879D9DE972A3AE377B204D09593
SHA1:	7B79C412A2AE5D21CCA333CC2F96B70DD7E1C3DE
SHA-256:	DA65EA1EAC2D7DFC5F8EA31CF07A34ECD9054B5BBE31AA7651DAB81518E67324
SHA-512:	81F878B172CC528E2ACE51BE1DE4D27B248EE8B2E5FB3C7A0B5D6A51CC5A4024B7255975F8A98F85E7BC79C16F059DC1958CDC0DDFC07CF9DA1B0926B21D0A49
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Time

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\arabic\is-RJR9O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	56628
Entropy (8bit):	5.001958639036602
Encrypted:	false
SSDEEP:	768:pqFk5evUwdvjLJzrrrMOcPI0QhhiLVptabQhOsWxkMvxGx5QZ+GjaorHye0HmuwB:pqnVUne8GjaUECaIA9o
MD5:	BA9CD5C6FBC3F41BA7B21B842B211D29
SHA1:	337DF42901DA8E9855D59333E4357BB3CF9953E2
SHA-256:	CD14DD162DFBA323EB79D496DB0E9D053B9D21A8AB7E300232074458A91F62E4
SHA-512:	D6A9DC42E548806E469BA0B15C40E886BE92EBBE247116FEE9E15EA83D6B3A8B19C42DF639405DBCB70B3E6859E243406CA24BBAEEAA57E95CCE26128D04ECD7
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff1\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 0

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-0D5CA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	59955
Entropy (8bit):	4.987423779028573
Encrypted:	false
SSDEEP:	768:2FFbLxZjkouUyWXCrfTYlD2oC+zKjkMpAkVZEdvI9DFxg1946VKOFeOkOecLd6Pa:2FLIFxgCSIA9TkWIy
MD5:	E0ED1922B52E062A733812CDC97F78ED
SHA1:	FFE7CBE2173ABEC59FDD66949DF05FAE07310FBC
SHA-256:	436533A19E5DB84BAFC7FC2A0DBECE56577648EF416D5A54C2D3A9D46289B9BB
SHA-512:	95DF26BFFC5FD4B77773C460BDB438ACC4E1A3146E502C8D7FBECE9D29A842513E6C44DBFCB04BDB9682802CBE8BA6E49723C996A550EEB864392B71D184AE0B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f39\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Time

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-3Q98O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	52052
Entropy (8bit):	5.0423517848490995
Encrypted:	false
SSDEEP:	768:2eFD747+kxKTllT2njX8x3xezX3MmwxXoC+zKjkMpEZI6xAzj54vWHmI9ikzmind:2ee2XMIA9o
MD5:	86DF8DBFBB9E6B68A8255BF9B36A9A79
SHA1:	49BBA097A2FA7B3AA66E58F2ECCB244444C96AD3
SHA-256:	232B3BC657DA966541951F2BCAD65B0394BA11608B61F60732E9049B70D8C46D
SHA-512:	BE429F10D254B65E0DEBA90598DEF9ABACD7C641FDF418B7FA272DED99ABA0A3C6E91CF002CEFDB43D95F54466CD0631326788D6E59628ED0A7922422E530F5A
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f40\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Time

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-45EQ3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	45546
Entropy (8bit):	5.037437776894658
Encrypted:	false
SSDEEP:	768:2QFDC47+HE1KEKT2njX8x3FPzX3Mmwx1DVw22vR4YaxZ8Y21kNFp6VpXGEy5Z/61:2QDnocIA9K
MD5:	04CD296601A182A19484D83613BC117B
SHA1:	3ACCD6A59B0E72F4FC2D6559D9C31A89C25383B9
SHA-256:	0ABEDA0EF9D4D06BC44EDFF51C9A289DBA0F58A672731F0F8A1B09AFCFD7C9B7
SHA-512:	12241D241CB7FE1A79009E1B4BEB7E9051A5523A3A4182BC19E52EAA3FED4D334822D4DD2E8F2DC3EA56AD32E121C7D69D0C7EB1D1495C5132DC460B5002D0E2
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f40\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-5Q70U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	50160
Entropy (8bit):	5.04516355825557
Encrypted:	false
SSDEEP:	768:2eFfzxZCCj/f95+6+WGNgVVhGPNolV9GEijPKcAPv6SAJjZR6TYqEkc0ij82oXTq:2e796RTIA9l
MD5:	D515DFD169E7F576978E8DDF94C8F57C
SHA1:	776FDAA33E7FBEFB6ECCB018DEEBEC03F23977E9
SHA-256:	3B6A48D3D59E44B95C982CD39E4F58CC7FA62237A089BDAC7844838F33C5CCD8
SHA-512:	8A61180120ED053F471874E0A8FA145071E39F89633C5C7085E84EBAC8BCC2E734E68F95D0B5C5C71CF168D5824D044D38C3C330CF2093121019D953C73A3431
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f40\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@SimSun;}{\flomaj

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-5RDNS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	46096
Entropy (8bit):	5.034181446312948
Encrypted:	false
SSDEEP:	768:2FFU347wx2Oa75aEZM/rvg20xQBcqtqYepjRBcnjX8x3b99QONKaQB2Ctj+Z/6AI:2Fp7FIA9u
MD5:	B8B7FAFEA8A56DF708E8CE7BB37516F2
SHA1:	FA15A15E9BD2B99CE60BDF170FBD668F89D87C7C
SHA-256:	E28805183757391F057ADA505CD5648E029FBB4D3DBCDDB9B19B8135A11EC113
SHA-512:	C8D9F66F94D32353F59FF2A28153647906B01ECE715A764BA33B907E81B27AE411FE951ECDD039A9BD596B7EEA1CD9CC802991EE74BB8FF71A1BE051B6CC32A3
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f39\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Time

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-AU9VV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	53408
Entropy (8bit):	5.027531716371282
Encrypted:	false
SSDEEP:	768:2QFDC47+EvnaBT2njX8x33HcSAzpdhN0XmQ6ZdgvSSIAPZIAP6IAe+XUNRXp76PC:2QDXJksIA9U
MD5:	3BA78ADB6E868B5B64CA3AFD406569D8
SHA1:	3E8031CC5453C731A67604B495AEC251CAA93843
SHA-256:	C4EAC5BC2B6C11C7ED8741FF1ACCCAB71230E01EDD80403655EE54254673DA83
SHA-512:	28F58E5595C7DA45F3361C18B12014831D49B84D0FB572D331F2CFA71B8B22B16502DCDDFF6486F7767976BA0B379CBB21F467F9843962E4EA8A1E5E889EE79C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f40\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-JAMS7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	78321
Entropy (8bit):	4.976590404148247
Encrypted:	false
SSDEEP:	768:2FFfi2w1wko5DlJXCrfTYlD2oC+zKjkMpAkVZEdvI9vTwlgBKMkZKU4BKjlbZBGJ:2FgxLTwluQfIIA9n
MD5:	98244D077DCE073255BF035B65157A16
SHA1:	FE4902B630F765BDAE2CEAE1742EA7759AA527C5
SHA-256:	F4C1F67C23A0C2DBF5D22EA15BF33495463FC3D40D2824707C1E704B2429896F
SHA-512:	6DA9BA89E24B1BE24B409E83E25CED82FDCC580B0BB997A0A6CB88430F99688EDA67DFB7C3DF1FAC8BB0DA9A5C863E9AF2D23F08571C5D4463C6948011776585
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f39\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@SimSun;}{\flomaj

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-KQ9NR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	39768
Entropy (8bit):	5.028438731643848
Encrypted:	false
SSDEEP:	768:2zFUZ47+E29oy2lV9GEij/R0qrsT+118lsqZ/6A9B:2zdTIA9B
MD5:	A8C9AB020E61A95F3CBA163ABBF94E88
SHA1:	041D13002452D2AC0CBE8A2CC4D646B284F1B9C6
SHA-256:	2473E996CFF9D4ACA06608370BF1B5C0ACE937E4F8A1C699AAF2A5F87318D40F
SHA-512:	13FB3383203232496A3551F2D6A39F210432C5DAB33A4101564416A0069E72F86F85C000EB8ABA4C2D8E66FB7B6165A34CD60DA0A8DFA0A48165F358B2E01269
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f39\fbidi \fnil\fcharset134\fprq2{\\panose 00000000000000000000}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-KUVKF.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	66281
Entropy (8bit):	5.021285329842295
Encrypted:	false
SSDEEP:	768:2QFDJw1w0kWBP+WLZdfzbwKsFPcZR1yc+rZE7feMShR/pVRVGcefxRBcnjX8x3JO:2Q4Bb6IA9Z
MD5:	B9DE79AB06478D9A6CDFB82A7578E374
SHA1:	E103E4E779C53988209B3F0F752754162A5F638B
SHA-256:	7BCF98FA23001662B53624E64A48F45581CC6A5B70D53204203184A94581041B
SHA-512:	98F38D4D6CE05FA571C3AD3EE7C8751777F2A6EFB95C619DCD55F3F873AEC2842A578CE4CC654F2AA56E015D3D29955B8C49FE38CC3CBFD1B9D9910E9C7D9EED
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f40\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-LGLCC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44042
Entropy (8bit):	5.0382315831173985
Encrypted:	false
SSDEEP:	768:2QFDC47+EpRx1IKZR1yc+rROcPI0QhhiLVRtvYq14MfzCJrUwQpd8HZ/6A9u:2QDFUnUIA9u
MD5:	C87126C1EBFECCC1BE9D35D2C25360F3
SHA1:	9968DE7D3CAA691A6EB0E643E643C34B7B044F55
SHA-256:	0965D39B40A80B7EF5452ACEEEC9CE43CC5C8D6762617F8FF907444377844D14
SHA-512:	0AA0315529CA2C5D04F4A5BF4DE4991C2F8551AA38559D5C6AAD87F363B1D806457C3F33274873CFCF661646FBE2F730A4461D6ADE66C2DB36BD13AFAD5F1849
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f40\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-M43AV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	98587
Entropy (8bit):	4.9835874653673855
Encrypted:	false
SSDEEP:	768:2zFbmxZM+tWe275kQOSAGc1Q33Tn4eMJ/fOcPI0QhhiLVpLCrLXI1nuT2njX8x3E:2zyeUnNIwuF+bDIA9n
MD5:	B729EF1A2C1EDAB184EE72D97CCF04FA
SHA1:	0B1E8F6E750120989728E8787722DB1E6C8AECA4
SHA-256:	FF86B07534B3BA1FB795BB36C8A7E02DDCA3F591A3EB242AA9F35773BE52AA1B
SHA-512:	8F4819A8CACAE7A93CF4BA2F42EABD64A6409B42F7D41B2363A6454591B7BF6C181E8F45F4359BACE952915008CDAD0EC59E8725E784657F3DEE795A19658EA3
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f39\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-O3A1O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	50366
Entropy (8bit):	5.042918546603945
Encrypted:	false
SSDEEP:	768:2eFMz47wCEnkVlYgiDGi3w2EHnT2njX8x37HzX3MmwxEJBMmfX8+VUf8SP8VrZJ6:2ebHcIA9/
MD5:	479AE0F93EE93B62EDED9259EFD3D417
SHA1:	ADFC98043F7B02403F496028274A9849DADE9415
SHA-256:	AE39FDC0D0299C5CC2AE703E1F39CE87FB6317DFEFA3DD3957CC3C7BFC94233D
SHA-512:	914EB7570D95563A23BCF6CFC354297C7A9ECE8F48AC1E6F872B7CCAB00B9977271A7148444E8DD119EC6BD7C4A4DB4830EC7EEBDE89FDE72E6A20B3E5DA2E91
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f39\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial CYR;}{\f41\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@SimSun;}{\flo

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-PAFO0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	52084
Entropy (8bit):	5.0360425372195605
Encrypted:	false
SSDEEP:	768:2eFfzxZCCj/f85+jpnrNgVVhGPN2lV9GEijDKcAPv6SAJjVSkVeUZ53dqaYHErLm:2e720SvIA9l
MD5:	6C1BF76AEB182845D933C43B2FD3AD7E
SHA1:	2B5CF1297A2F29E1181C2231A521E57C207D16EC
SHA-256:	972A316D680C8D41CC19BE92E617D07832A9038CE9E5EEA23F1ABCC5DA983EE4
SHA-512:	7CC2F42278CDCC2DE781C8776095C83DB4739B635CDD93299A0BF08613C198A20F640BA8488C0B0655012D57B59F413EAF7EE57481BD4EBA3F5556E079D304B5
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f40\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@SimSun;}{\flomaj

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-REGT0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	51468
Entropy (8bit):	5.04658714654288
Encrypted:	false
SSDEEP:	768:2eFfzxZCCj/f15+0UcENgVVhGPNIlV9GEijaKcAPv6SAJjmYWR8KdYJ2nkfleSQ+:2e78tYiIA9U
MD5:	80A5E124BF233B48028E3886DE7897EB
SHA1:	F21E4120B6E2C4CABB5A2640AA208E9A94E193B7
SHA-256:	99807A4CF83C65D73CA39ADCC5058B28CA17812102304288420BAF9091DCDACE
SHA-512:	8168FB4A5E19938352E6E2662330214FB4A4209BD015F9615E3308FB808633EF346BAD56ED85B9946D8B40F87680B8B09B3676EF9591BDD27131A3C5842423D5
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f40\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@SimSun;}{\flomaj

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-T5L7V.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	54667
Entropy (8bit):	5.033087064941872
Encrypted:	false
SSDEEP:	768:2QFDpxZMjE/d8NwyHF2njX8x3l7G5V5V5h5G5P5N5gkBJ5qA23YtFZSEHtoGCzU/:2Q9svIA9h
MD5:	51AF8BBE0EB54E295570F088C17CBBA4
SHA1:	E8CD73723EB618FA3F9A26B7F56EAA0C9397F0C9
SHA-256:	E9E9F0B183F57BEA6BF02B6BDCBAB45B8BACDFF889CD4E6882E62C3E3F8CC4C8
SHA-512:	582D0EB523E3AA4F152A858DD15C10F5379BA981EAAC75A5B427BCE8287634AF3D14D8AC045754B5FE3BEC9CAC317EC324D72EC2519C11FAE2A9FE3D60FD1F15
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f40\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}@SimSun;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-TIAN2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	48219
Entropy (8bit):	5.043881411943709
Encrypted:	false
SSDEEP:	768:2eFfzxZCsxIa4IRVIvOM/rvg20xLjIddpuXVfs+zKjkMpTFFJ+kH3q+1yMPhU32n:2e7uFdIA9V
MD5:	8C8176E8F2409E52F66BA8228B6EEEF4
SHA1:	ED1F5902631C6273022B8C1C6582BD15FA76107F
SHA-256:	FFE2EACEDE61AFC4BEF5370CF51CF41430F2660FEF291087150EF773793F5448
SHA-512:	3210FB8DDB601E1CC322213CFAD6F6A463D882CCD2BA21A4ED19414FC074FA3AD597AAEA75F6B14D857EBE7FB54B5B0594F2661EDC7BAEC0BB26C746C841283D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f40\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@SimSun;}{\flomaj

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\chinese\is-UOQEV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	48087
Entropy (8bit):	5.042429118311867
Encrypted:	false
SSDEEP:	768:2eFfzxZCCj/fB5+aWqeNgVVhGPNNlV9GEijSKcAPv6SAJjeR+RP8yJ0LTrI6JtOt:2e7dRRoIA9f
MD5:	4BF6C8774BA58F01B8916C5DDD525E82
SHA1:	F493778C8F8CBD77CC9FC11F1E628FD05C6B0F87
SHA-256:	1D3481510B1220FF2BB3EFBC4137E73A237842AEC233E289EDE6039412FC1ACA
SHA-512:	208BA94ECDB45A089AD16A665DA51C7C29267268DE83DFC4F44D8EE29805031DD79E9681E12F6D5C8CE9C8E13FAFB3CB9C5DA535712416D4941233E546A794A8
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe2052\themelang1049\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt SimSun};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f40\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@SimSun;}{\flomaj

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-0OSR4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42784
Entropy (8bit):	5.040903024418766
Encrypted:	false
SSDEEP:	768:qqFkwx1eXCpMF2njX8x3JLjwUtqYepjRBcnjX8x3D5xoYAo79Q88T27Z/6A9I:qqRbnIA9I
MD5:	6A4574B9B32C4BC5A6F9B7825A003942
SHA1:	30BB8557175BD91B06453AA8017FA35754D870C6
SHA-256:	6EB4E3BD1DDD9B08957F4B2EC49482EB8C6A083F812703F28A51EDD2E1B65DCB
SHA-512:	2A220BD4DCE899F86CA79DB7F977362554CD80AB72BCC9EB24A28FA4D72B0F0A617655B76ACEEF6991273AA459CD1C7BF29FBB5EFE4C1E9C30CD900124E2BE81
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\pano

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-0T0N2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44577
Entropy (8bit):	5.047991849900316
Encrypted:	false
SSDEEP:	768:2aFknOj9rcGSOzlD0gl+0j3akipVsH5GmTF187V63Fq+1h1r1FOZ/6A9b:2amAhHzF187g3Fq+1h1r1FOIA9b
MD5:	91A847C22456099C70F172382B194CBD
SHA1:	E3C2687C4166260A3C70B667341DB4773461D45D
SHA-256:	84D171982B9A0B79099979907F3347B0E21DEC8162F8DB41C22097D89EA4D7AD
SHA-512:	C194CF609F25F2813696E8FA33178917E63FFB6B9BFC2F78A5E7384D97434CC8545C585B3D94829D4F4ABD5BF2A9FB28383EB22ABF8F3166AD3AB875BDE35E28
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-1C3VG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37249
Entropy (8bit):	5.028034136812006
Encrypted:	false
SSDEEP:	768:q4eoxdUjOcPI0QhhiLVutRNQf6zgOG4h/PWvFmZ/6A9D:q4V7UneIA9D
MD5:	0A48D352EE09C07B7AFC4D8FCA754602
SHA1:	A8EF06010F383B0E1DF2C56ABC44E3C28752D99B
SHA-256:	36765A4404110CDE20DBDD48BFB5C7550F38FCD80312627D2465234990A146D2
SHA-512:	5886EF5B32E3619BBCEA35A29332B9EB8BB7E05D2A34C7E9591756E391AC8710886AA52A9A4EF87227F58FE54109EFB3526B905AA1ED75ED93BC3ED7D6EAF871
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-1Q7BE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44558
Entropy (8bit):	5.049062407758663
Encrypted:	false
SSDEEP:	768:2aFknOj9rcGSOzlD0gl+0j3akipVsc5NcTF4BaVy3F1+1h1r1KDZ/6A9L:2amAhcWF4BaA3F1+1h1r1KDIA9L
MD5:	16036186160BEB81F13561AE51DCFBED
SHA1:	BB644BD11DABCC9F453A71745D7CF12A1621FEBA
SHA-256:	AE0674BF9ECDCD8A1550E0ECA0529EED66E9786B6029AE6EB5414769205FDAA2
SHA-512:	CEDAD90055D3DE40A431B0FF9FA89D9E2A25E831EC484854F01E04CC953EBBD50D76B23107C5D1446145A4596A721EEBB34B6EFF827C623D894924BEB64B8DA2
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-2IP8L.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	57638
Entropy (8bit):	4.981099786389407
Encrypted:	false
SSDEEP:	768:q4e94jXjOcPI0QhhiLVRMek4aEqkGBKugOLT7eQk8C/Pr+uPmB35LBUo22xt2VOz:q49OUnWkIA9U
MD5:	DAEEF8D403213DE69003FA2BA7664B93
SHA1:	4A5FE0EE5ACCA61948EDA61062B395F59E224E7F
SHA-256:	635C6F72A6029595AF7922DF53835CE80BF486671E0BE4164D4612F03E993FF4
SHA-512:	5DE410F9C6A4F4A27ED9F456DF9D0D79DF87A21125718CC9B6674B0A4ED686F0630B1BE86A30B787053C3380A24C844899C3CFAA9A4854E72DA803AD673AF92E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-42VT2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	73450
Entropy (8bit):	4.964144021615361
Encrypted:	false
SSDEEP:	768:qqFy4Ix1ELHT2njX8x3TLjwUtqYepAkVZEdvI9vtjzOKAn1+kxapy9qGZBwnzKuw:qqJCFtjzRYTIA9v
MD5:	44AF5858D4FE0291641EBAD16ABCC7F1
SHA1:	C9F06FBC5A106CBFBF4CEF359804C2B7E10271F8
SHA-256:	953B116F3D90FF0D38523204B5A27B7F1771F6A03109C4FC53669FDBB85A3C2C
SHA-512:	8093DF47216242503737849DB08BD86087FDAAF8D53FC69FA38A2D2D66448AE52D4D218F2E5816313E6FFEA7324A0583B7EBC2E1E93C2DDB65C3E5BB13F675BE
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-63OD0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	47296
Entropy (8bit):	5.036767014333867
Encrypted:	false
SSDEEP:	768:qqFy/4jfDCcJJrNgVVhGPNhHwGNjm+epnqExwaWxZqEUqCuj8QDe3n3g3/3Z3z3V:qqraqDIA9/
MD5:	7984C74EC410F7A952EBBBB798A09143
SHA1:	10E1E32861C86AA02C81D824CAEEB670DC2FD1F8
SHA-256:	922B12112DE9715D7164050920AE36A5AA44FB3346DF447C6ADB5ADF36483F69
SHA-512:	34B6C3E0E3FADC4AB057411FF42B6DEB01E3B70297A357358BC27E5A5A802D68B50BA01EB1DA42E922B00DA3C0F5E58330F9A751D496E107BBAE0FFC2E2B31BE
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-6QJ75.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	66194
Entropy (8bit):	4.972115474061052
Encrypted:	false
SSDEEP:	768:q4Fkex1eiCUYvmpNM2UrPGsGx7TYlDidldgOQrrFlEoIeRWeWyWVWAWJHZIWRWe0:q4vsLIA9i
MD5:	6181F9D5B81EC15F49F57FCFABF69562
SHA1:	451D5FBDF90E8CD153DC5990092613901D084CD1
SHA-256:	442E6A351381A56F912F0A68036C868F60D45117C92C9C2225948AC614DF7416
SHA-512:	5F5C61E9995C9081CFC0F97E857B5D67E45A1A6FD0796927AE694E25E41A50129E1952B19CF9A40A325A23137732465A718B1282C23688093160A0FF604BB124
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-7RSES.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	38736
Entropy (8bit):	5.026744300506052
Encrypted:	false
SSDEEP:	768:q4eM4jXpT2njX8x3frTlkCR9vIFfT5ebEgTRg+oQHMciZ/6A96:q4U16IA96
MD5:	F53987E38EB6461218A046384275D858
SHA1:	F7D0C00DC80411F7ABF389AF5597F6A9D76671CA
SHA-256:	E2F7132583F6483F598B1D587B4837EA60A4E8147602AB48F72C821FB65CDA64
SHA-512:	23C0AA0AA555D0D04E384320F8682A4AD4511412A854A819C6345F34613039328D5A880B57E0A40DCABDB90F0E324BE03EBA4696F3D93DF96441CF631E01F1CA
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-8A7QC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44503
Entropy (8bit):	5.048234089968532
Encrypted:	false
SSDEEP:	768:2aFknOj9rcGSOzlD0gl+0j3akipVsr5YJTF187V63F1+1h1r1FOZ/6A9b:2amAhryF187g3F1+1h1r1FOIA9b
MD5:	22F6CDCCE6FACBA92B6D270D8C66B570
SHA1:	7290B603CFA4FB5A44C379220E0694A41138C9B8
SHA-256:	B4BBF6FF64527A29990C52C45852C3A9C25D23A44650A9C78233B2440B731B60
SHA-512:	BCC875F094806C5B461A1C62E8A51F9A03BC213B1B48D0ECA421057EF7371C3C7B57A0FAF5765A6F86975B7B9AF98A64141CCBF8CD7E301D6A1A182C3B9935B8
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-9K1D3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	49574
Entropy (8bit):	5.031691924230754
Encrypted:	false
SSDEEP:	768:4qFys4jeDCcJ+r15g5V5V5h5G5P5N5hBcqtqYepn3/xXdQQMQs2YMKBX49nNbaEq:4qYo3CtU7c7KIA9m
MD5:	AEE08B8B9A32D64F630D57580A2D4457
SHA1:	0BD2511BF3C71E549858E1990A07CA29A11A9C8D
SHA-256:	468D9AA761B58B6CCA9C93C271D3B9A3EC96D367019CA53F0579E3A5E87720FE
SHA-512:	16CE81CF5D2A1910E845DC857AEC389ADB9E2A05E262DD47F4285A5BF5EE9A522622484EC9CE875089B1526B0C0A5956A66B858A6A731F33F2BDE6E1FE130A71
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff-10\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-9P4AK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	50474
Entropy (8bit):	5.02065375573397
Encrypted:	false
SSDEEP:	768:q4Fk5e0/qCdXF2njX8x3l7G5V5V5h5G5P5N58JCxCIWC3/OpfVPV0VVqrHLLA2YG:q4bdAc8IA9+
MD5:	9796F2ACB16A082E1398FF7EB812FBF6
SHA1:	3D0439006944B32BA2864A66D50F7BB30857548B
SHA-256:	ACBF9B9D0150B9371E4FC0609F119C77E28F9999F6D30FEE0F1665F6A1116354
SHA-512:	AA0C265F319ED1193E474D23A793C53A697D44B29806EF6EDA7FABF83C597E45F49076D97DB919EC897E9257FCD41AB560A91E50D77EE6148FBA8A6D695DCE8D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-AFFN3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44224
Entropy (8bit):	5.048946998383766
Encrypted:	false
SSDEEP:	768:2aFknOj9rcGSOzlD0gl+0j3akipVsM5qWUTF4BaVy3F1+1h1r1KDZ/6A9z:2amAhMuF4BaA3F1+1h1r1KDIA9z
MD5:	72509EF33CF9A21325EB2DD67445BA6A
SHA1:	37F7D53B232DE88B3F7D1CDD6813598DD611194D
SHA-256:	6C266D43303DCAC9CE57903481E22442AABD532FFD6E4ADF5C3E4B7820E8CBA8
SHA-512:	00957DDFF315CC324CE9EAAA890EC2712543DEA6ADC8892BCCED84445AF7A8701066FF44708396D63F3F8FEFC1FBEC8EEB687A4A9009632E1644D095300B2542
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-E2BKJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	48084
Entropy (8bit):	5.035611454104282
Encrypted:	false
SSDEEP:	768:qqFy4a4jfDCcJJrNgVVhGPNhHwGNjm+epnq/x7yjxNQwr8AUmQryuj8QDc3n3g3x:qqJ9aqbIA9b
MD5:	EF57D23344C66880C6A38F743FD3FF0E
SHA1:	FC336BCC92580A0D367CB5B3604EE0040CC08492
SHA-256:	E36C9442648C0564C6AD9AC6074EC2B5023BBEBF291708977714AD977DDC1633
SHA-512:	C336736ADD43033E4BEA538EDAD809127C1ECF80DA20FCD3E02065E310919529E44C5CF57D0FD24EA295FAE367BFE7F7C52465E18863D0B2AF37188EA069502F
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-FSPP2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	96477
Entropy (8bit):	4.924667312566969
Encrypted:	false
SSDEEP:	768:q4FkIxd/+zl3C79ka9aT2njX8x3fj5g5V5V5h5G5P5N585gVVhGPN9turfTYlD+N:q4pfLS7tFvIA9AA
MD5:	474EFD092A23625D32003FF87FF3453A
SHA1:	1BD49C74CD6DC150858759546E8C8B7A49F12288
SHA-256:	8AEAD04008796E39C04E7E0F99B5824387C416B5C2A0EFF01A9FE5881959F382
SHA-512:	3BED2B0372293ECDF4798D223917556E358EF8AB686D53519EAF6310329FF4B89FB26FA08F42A77D2B16C2065218B9EE746D9D126683CEA19ADAF83172895127
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-IPU4M.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44198
Entropy (8bit):	5.048748452821434
Encrypted:	false
SSDEEP:	768:2aFknOj9rcGSOzlD0gl+0j3akipVsQ5x8tTF4BaVy3F1+1h1r1KDZ/6A95:2amAhQsF4BaA3F1+1h1r1KDIA95
MD5:	B09494F1B4F83DBB2489B542B911DFB3
SHA1:	02BA1EB53181B33E02138D564B00DF6FF7084091
SHA-256:	901AFF931E90289B75F9385BE37787DF1A88D67419623904BD8C9C7AD9CBE21A
SHA-512:	79BDB81018FD674776B10007A0FEAFD3B4A16718ED531EFAFDE80F54A924281A4199A7F1A3005C8FF9BE4E6DE2240C4C480667C0A99E134BBA0BF0A414BFD257
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-KL7VQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	56800
Entropy (8bit):	4.971134438284621
Encrypted:	false
SSDEEP:	768:qqe+2VXLHT2njX8x3TLjwUtqYepAkVZEdvI9DhLVtKAn1+kxATfpyuqFnZ8MSqi7:qqqkhLVvIA9S
MD5:	3B8361BD47C4A33C6753ABF66E840953
SHA1:	F47CF562955DAD89D07730162B53A778A9F72AD4
SHA-256:	81FA4579AC6CA95049C34F47439231BE533173F12A63187779B6F3762F648679
SHA-512:	CA1EBC99A888904B1BF43144C75F58FA4A3F2143FB00341E0EEA61B05CDD60E02F7527E4822144A082321CF2C93EEB8F395EA22295B0D3D9EBCBE9D32CE90456
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-MRUHN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44859
Entropy (8bit):	5.042653911286004
Encrypted:	false
SSDEEP:	768:qqFy4a4jfDCcJJrNgVVhGPNhHwGNjm+epnqdxBBdwwZxsAUtcGuermSShpHlfcXX:qqJ9aqMIA9Z
MD5:	0692A56E310ADDB8AB518DFF420373E6
SHA1:	1855B76BA5A77F96D7ED04FECD78342BB3902517
SHA-256:	821D367CFEC38EEB7BFC2635ECC1B8938802D5D4071AFFA380BF5D3DA32BBA8A
SHA-512:	FE0C99F78A2807F06ECE7E94CFD9EBAD74E65FE2E9A8619D1EB3FD9CA68FA1F80AEA29D7FE1CD0AA7CEC6DD0404070E99FBD1B14DE5409CAB94703B2C679083C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-R8RFH.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42930
Entropy (8bit):	5.0450094413030575
Encrypted:	false
SSDEEP:	768:qqFy/4jfDCcJJrNgVVhGPNhHwGNjm+epnqyxz/BSKIasAzoBYcXumDpIyZ/6A97:qqraqpIA97
MD5:	DBF71033F406A5C5C9AEA3EC2E669C28
SHA1:	829479F385D2FFC9EFF81C2E3F3543289D64C1B9
SHA-256:	452AA2D29FFC659EF8042B9933B8DD6A7A679E906371F3C5530E740ED0B8605F
SHA-512:	B926A8072DBAF438AC4F1B920D4C7B4A1E16BCD371F904DB429927968D2DA1D4C3ED1517DD7E8D35604911623F86EB4F46A3ADDA56B27BAEB9DB6063CA51BF68
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-TLH3S.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	39483
Entropy (8bit):	5.037147955886456
Encrypted:	false
SSDEEP:	384:2aFkyWNdW2OTYn/akrOc7jgskl7rVGGASZqeY4sMQi1OkBSyAQdAMeo75Y3kpTBd:2aFknOc7cskl/VGGAS0MDAJZ/6A9S
MD5:	2A08EEECD3328F25905421850E9182BE
SHA1:	EC931D459DAD71B222442AA00412E1E627F343E2
SHA-256:	F7F40C10AE7B09FB3D476FCEA2E2FC7CCA8DF57EE92899A1675B4A1B7D61749D
SHA-512:	D1F92F97F9B9F560A0FC510567A63B8A150759DCE4E25F0AA7B302537E3745FFA9722C144D1FF09308E7F131E92AD1CD5CB91C21B21ECE8B62E7A90B85911C10
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-U80CG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	46380
Entropy (8bit):	5.030428428463447
Encrypted:	false
SSDEEP:	768:qqegxdU6T2njX8x3TLjwUtqYepr+pNINnNINGNAAlTuARAhyzc1TOCgX03w3n30j:qqHLIA9R
MD5:	E7F852CDF6B14E79DB92EF3A563FFE70
SHA1:	CEAD99D6CA825878A9040D0F05C04D34DCB48B3F
SHA-256:	C5F6E6F3BEB1F933033207BA5217B357F1257671A5DB08AC5D6E1C484AFF5744
SHA-512:	0F259C1081D3932B0DCA526CE090C3EDEA9C8B40DFE71649F6EED6F948F2FBFE9266C0531BEF728F15ED5969CCC1FE9710EA44903BB2CF49FBD8BA531EBC3D2E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-UA9F0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	39892
Entropy (8bit):	5.034602521621446
Encrypted:	false
SSDEEP:	384:2aFkyWNdW2OTYn/akrOc7jgskl7rVGG1ZoQZq4sMQi1y9k1IKWhlmdBMyiX4+0Aw:2aFknOc7cskl/VGG1iMN+0dZ/6A9v
MD5:	D947033057D3BCAF28277A8071817DB8
SHA1:	901824B565296E552D80E934D8A2F39369611F86
SHA-256:	B8A385017A5AD17D0584EB61350466CD453CA521B282F195CA0AF0971621BFB2
SHA-512:	92ACB02795C228F72BF64ED33A55B6DB6D4222786B32FA0A67A6A55D53F6D851BC6659CCA4341FDECD6BF0B48E5CAC7D1A437A26927F790A57436C5AAFA1877B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-V9DA1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	36597
Entropy (8bit):	5.030646060695953
Encrypted:	false
SSDEEP:	768:q4FkNx1ETicPI0QhhiLV9E8cvtsomvimZ/6A9Q:q4GVUnXIA9Q
MD5:	4C157CB3C17D248D1CE74DB9A506CBBC
SHA1:	E8786D856D7F9A33E841A2C4BDF4BA41E8153448
SHA-256:	78E2AD2864EE4FA19DF5149FA7C86F4937FECDC48B0AC7965B9332706A356F87
SHA-512:	BA3C0F19E6B41C82021B4B0A00D9177F44D9341C5F26226258AEAC93DD46622C55C50ED284F5B8CD6DEBAF52C35B55720732C0FF9D86961E55648E2182D358DC
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-VAFHC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43992
Entropy (8bit):	5.0490517908671535
Encrypted:	false
SSDEEP:	768:2aFknOj9rcGSOzlD0gl+0j3akipVsb5IjTF4BaVy3F1+1h1r1KDZ/6A9z:2amAhbwF4BaA3F1+1h1r1KDIA9z
MD5:	093443BD0007A7BB28B50778BFB43E66
SHA1:	7FC5599F85CEBDA23A323994A57590E14628C84C
SHA-256:	2823645253E4999BA6ED5175DDA4B288C2D01916811294E0E538726BB43952CD
SHA-512:	9A1BB1C996C3B0561B2F1C20D8FB12E3B98322961572803AFFDA7659E024840BA5FD04C53329A443F1C8DB1B16B89CD2E64CCE409AFDBED6139B21F08A65B3C4
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\english\is-VRP8E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	45730
Entropy (8bit):	5.0380816279242895
Encrypted:	false
SSDEEP:	768:qqXQUx1e8Ca9DGi3w2EHnT2njX8x3FA5xr7YZhZOZiZFs7tAZkjCfbH1Yvv71KDH:qqAGeCIA9+
MD5:	BDBE095C7A0E96988B0CF67900DC1BEA
SHA1:	D2FDD08E37CDD417C3CD03A0432CDD50405DA76D
SHA-256:	EA0ADE471AA7488DF2B2589410D86472EDDDEC744B1F61ADE5347E9E3A297DD9
SHA-512:	87C1513C522958F71339D363324B0B5A439E090478D5D235444E329CCB611ED88B8AA186BBFA91B3D4DC576022CD62AEBC2019149A80073BF6CE37670EC4ACAD
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f39\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Arial CYR;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\pa

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-0FIQK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42991
Entropy (8bit):	5.042023549126302
Encrypted:	false
SSDEEP:	768:wqFkwxjeVGh+DoLLXI1nhDGi3w2EHlT2njX8x3DGRlBB42Nn92knS7eOZ/6A97:wqR3zIA97
MD5:	4406D386834A212EB3AD85B6410AEE1B
SHA1:	FE40A4177AEBEF814E9104273942637E62180E61
SHA-256:	4C083A2E2B9A6314BE4C4616010210D7191A949BB5849D140631CAA6AF0B8E5D
SHA-512:	DAD1AC26094545FFBB57D74B6C04ACB2E5279F8B045D3BD53CB27ACD877F6FDC4C9A6894B7A703C5A94EF6805E2AD98D7B1C6588CF9CF90BB790AE2625AA8AD0
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 0

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-21CII.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44025
Entropy (8bit):	5.051099948351621
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmmqoRWhsPVafhFuogRkPcStxSUeXeq4Ts:VklnIqi4Ts
MD5:	FCD907A82F0CC0B40AB352E6A1D330A9
SHA1:	AB3E2A7ED7791D51D6656A5A133A09CB87A98688
SHA-256:	20618AE093716DFFBF4B00CEBAADE7A5E33D628858BE3B81DD766343752CA2EF
SHA-512:	260890BB6352AE544AFA660DB1CF91CC1CDF5A2843F753F9291F1DB96E7B7E7E1BA10960E48A58F9B42CDD20CFE33C27A10A0A522A713EE8D95711A8ED31A307
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-2ALKE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	52940
Entropy (8bit):	4.975127205823685
Encrypted:	false
SSDEEP:	768:wqeaxjEJHT2njX8x3TLjwUtqYepAkVZEdvI9DhL8DqGJU4wEgmODwKEPrTDjwEaP:wql9hL8/44J0IA9H
MD5:	3F8E8B70614BCFC77C9E8A18E5B10EBF
SHA1:	1AAEB77F20B21A38684CDEDB73575D291C903060
SHA-256:	F55FBEE6CA1A13B8462150E411B63B84763DA220846DF944877DB2F3C617D8AC
SHA-512:	1C4262B5FB06626E41CF0CDD834F8A36007354934A07A24E4FF03BD6DBE45F4E8D52E06B4A08081E2AFEA8CCDD59E684ACF7241EC30B00AF526AB61A5F88ECAC
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-2TCBN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44713
Entropy (8bit):	5.051900255865599
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmmqARQOjeF/RS+Lp9XhPXhnPnCLTXM40K:VklnIqxR4Td
MD5:	1BD599E9D3E51995F3F39B6B680BCF5D
SHA1:	E0192B60533DD734AD8B4500125A25E78A48E551
SHA-256:	3894B01C5A095E0EA124AE6FE638F75990FB12D96FFD000EDAAD43D9399D5DEF
SHA-512:	726F4E9BED9C4CBF56AC082A81512ED842EADC28028FD6A8895954C4E946F20681E8C6A28236674E3B1006538E10EC2F5974C4F115D74DD1928E7DC2ABA3FF07
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-3Q9L4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37414
Entropy (8bit):	5.037445111384111
Encrypted:	false
SSDEEP:	768:VkGN4JS0TaGC5X2kccMG+vK5j8kES638TFeq4Tf:VkHA4Tf
MD5:	EEF6FD9574018AB7519DF0FE47A51EAD
SHA1:	58D45358315413816630C67BC892C7B20B986589
SHA-256:	8B7C442F64A83CF255F5A9B2EC6A9152A697A4198033C1727A63F1CCCF340231
SHA-512:	90D71196AFFFCFA83AC1F0DF325B18FF8871D9B45934676BD7105D8FEBF2EAF15C6AB4E0ABB93FBAE9A160F3B6197102117E527A8FDE66BA50E7A2AE0A03493C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-57VGA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	67990
Entropy (8bit):	4.982434864560598
Encrypted:	false
SSDEEP:	768:wqFy+Ge+UJHT2njX8x3TLjwUtqYepAkVZEdvI9vTIM4qR6GN6K2ZPEhe5Vu3VXrO:wqbPITIM4pwUKIA9k
MD5:	2412AB401BAE4B3A3C10399F29377A84
SHA1:	1507AABC44E5983E9B414D48FA6451AAA2F421C6
SHA-256:	753A18AEB9F547350546B9379F5246E4344BFC444F658E560BAF51369AA401B4
SHA-512:	02CB0F1B5D17DEB9B95E3527A1AC0815488217178C13F42D4B6DE567C1B55D6A348F3356109C03CE58C6E9FB94CF64471100530658C420CA6CE81E83FB3BB4AA
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Tim

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-5VP2B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44992
Entropy (8bit):	5.035044653724291
Encrypted:	false
SSDEEP:	768:VkGN4Jt0TaGC5X2kwYp+CjcWkDxKWzHkp2Cj3DQS7RfUaMpQXtjfGKSMpoFbaq0r:VkHx/o6Ns4Tp
MD5:	A4B133AED3E483AD18F78E5A993333DC
SHA1:	0B90C31D5E00389329B841BC8AAE13DD5773A69B
SHA-256:	CAAC008A1495175A0AE18434537C0053B46D5289F3128800D689BC7FA4F92830
SHA-512:	A34192B8217C7352E3907976062BC5B3BAB5B6FDE2C9A8C885CA8DD8E48EE9A94226EBF6AE1E05371A051CF041E8C4DCB08957F257C5A349EFEF679A5059F8FF
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-8L2R5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	78397
Entropy (8bit):	4.994922160783421
Encrypted:	false
SSDEEP:	1536:w4ZCmyp6N8nvBnhv+yyW6OjFwLYbJcmTaIwIA9h:wAFjmuND
MD5:	52630AF15CE5E8DF4DFBAD1E2CECBDCC
SHA1:	7D5A3ED6E274227C05486B222C5B348A4489B96E
SHA-256:	08CBE91EB083B28FA50DBA66B6386FB3446958F27BD31B5EAD83824EE236D9D3
SHA-512:	43AAB356956B2C61E72CA87EF2AB966EB9BEB23B8A414B017DC6E2061A594556D696E705A346E442B6BE21C798D2720B61515C9ABE5A8582D6F6654829909893
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Time

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-8PAM7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44178
Entropy (8bit):	5.050546012194347
Encrypted:	false
SSDEEP:	768:Vk13ixj2HiBkyKWm+m2NjrOX/zJSYctuTZ4Y+2XrXZ3iE8f32HNzQf3IUBwkl2/j:VkeWY4TJ
MD5:	8C6D29E2A257F91393950B5369539D50
SHA1:	674B7489A1DDF7B46040AC571F3DACCEA00F0162
SHA-256:	9A4326ABEFF7FEABB451943D15DC7CDD41DB433BE2A450BFF0C024E0302C6BA2
SHA-512:	81E81D6E6920F9E3B5D601209CE5C79343EE95B4BED07C6788A30B8E48F337E8D73918291634E98644AA3BE96A6E171F9F610FD33EEDDB6B1D17DD9E1A25FA64
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 0204050305040603020

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-CLKBM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	39446
Entropy (8bit):	5.027602531409886
Encrypted:	false
SSDEEP:	384:qY6g3X45Y8qb7PzybdKkjnxhVj+pmvhY3q2g4Qi6rGsoUwEAG2DaGa:qhg3WxhVCpm5cNZdU4a
MD5:	D0412C982483B1FF14AFA1B5C84956B2
SHA1:	1CBFDCC34F3DBFAC69E0DBC156B7A14A9E68F0FF
SHA-256:	BB09C2D2E43E921D0A42D1EB90AC5EB5639D85A5DFAECF38D36DC3B1D35DF9F8
SHA-512:	A1545A9E433401BB884D801D9FE76C37D8F00A68E9569A62873142446271FEF153A3B2770BA0F9FF11179DCEF03803ECD5CDC9DAA651FCF6036B36FD27556367
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang3082\deflangfe3082\themelang3082\themelangfe0\themelangcs0{\fonttbl{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fh

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-DF746.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43096
Entropy (8bit):	5.0549310472842155
Encrypted:	false
SSDEEP:	768:Vk1IwSxjeXQuTJcOerjj1oKauIKx49kWYhRnFJR2qitxAC5fAw7Wcu7aoZq4TR:VkzQUS7A4TR
MD5:	CFFAB85802341BBD48B8494EE847AB9A
SHA1:	06FA12A2151BA01366452069E218382C32581B41
SHA-256:	51C57212580E8C320617943231A7BA8D592F77544E3BF302E89A419F68EFF751
SHA-512:	99C5E288398E430D0BEC05F3EE93044136DE019BF5A98962550B7D82D069441DC507BE9A22DCCEF62058AA64BF7F78D252BE579899DFF252F25F422C00113772
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f39\fbidi \fswiss\fcharset0\fprq2 Arial CYR;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fro

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-IM3LB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37144
Entropy (8bit):	5.0396581331661805
Encrypted:	false
SSDEEP:	768:VkGN4JtOiBkyKWm+XnvKT0+3HEXL6LhyXWx2jUvJq4TU:VkHHR4TU
MD5:	3EE19309BA4E122B381C9DFD89AC3E83
SHA1:	5B5AD1A494BFE593C8A74BED71A60BAA2F47AFC2
SHA-256:	2E73E1CC938915B084B13D3E93931B5FC5DB48ECBDDCB5D14B0684F919A18067
SHA-512:	B9ABFE6A3327565F79F2488CA67DD18D3053DDA2C5F7A52F0521F77942B69E7133EA88687E7EAAD73F53A7D6280A92A91A269DC8CBCEBF896D2D9C044073EB58
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-J7CT1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	46393
Entropy (8bit):	5.040883358685065
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmmq9RXRjOotI3qyLbfl4vBLbflAvQLbft:VklnIqG4Tb
MD5:	A44BC6DAA0FB852B0CC5F2930B338509
SHA1:	2E78886E8630AA1D8AEB320F5324635B36FE241E
SHA-256:	87355813ED68AB3CC1FC6AC77DBC2AA16248012FACAEE98F06F106A28D2F688D
SHA-512:	A589A22F3E556B104ECA9D4E557B65218C254587DC3CD73569D7F0101CD1073E61068699BD48CF0B4A695772C82FAD1A689ABC7D6CCB90A043E1FE729140B795
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-NFFDJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	36715
Entropy (8bit):	5.031988851778873
Encrypted:	false
SSDEEP:	768:w4FkNxjETicPI0QhhiLVDfpZMHDMI4ZlZ/6A9T:w4G3UnnIA9T
MD5:	3782483D6EE007A1D36CF22E4377E736
SHA1:	28407BF172DD8CE139D46271AA509A64AE3C96E4
SHA-256:	6E7E08A47C098030ADE2040BB9605B271619E9D57FB57BF9C2895710B64485A9
SHA-512:	7AC317D52EADCF7EE5C9B1244FAA030376953ECD7227F0735D8755BDE2F6E483DA6D8D629A8D978A16EF1969D94DBFBAF6342B3BFFAA58BF61B2874959A4E2A2
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-R7DTR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	53715
Entropy (8bit):	5.038599976742919
Encrypted:	false
SSDEEP:	768:Vk13TxjelQcX09coHJreOYSN4UIRopZMggLBbWm6V6ER4IE5RP9lIXsqJo6vjo4S:VkLjcv4TI
MD5:	6E82D6B3AAD2EAEC506AA8ABD4728C58
SHA1:	622141D986976DC0ADB2DB17698DBC082BE74674
SHA-256:	91A6F151A727086D36660F130446F70FE6115808C5E56FA36FC82A8CAE25A481
SHA-512:	B0C477686E7583EF9412912A72A7644F80D20EB8EF904E7B0A3F2F89D4B2DB0DD7FC9FDB61B4969787AAE3C931D1B15EA8BAE1BC07CE3D340F40CD3D182804A9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-SNACV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42179
Entropy (8bit):	5.051623327565713
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmmVQP9RTaC0n1azbtSqqjgq4Tt:VklnIVQPc4Tt
MD5:	5BF7705E104DAE21287D29BA6B73F990
SHA1:	68FE0FAEB83DD82163599C4A0C86A42EB0E1645F
SHA-256:	425E9788DA3299CCF2FE2E25AD8E4BF0EF65F22E2F10702C7EDA2FA6D160917A
SHA-512:	A3D6C652A8C362B22B5F4FE4879411C5468DAAE6ACB6A13DA947D14C8E483C83138DC18212E8D2A1D22656985A2AFED8373A7023B4C4D0BD3992EDBEA0D7875E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\french\is-TD8IJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	45200
Entropy (8bit):	5.054793082738369
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmm38RiaKvX2pBEz/9qj+793RM1HWMV5XA:VklnI3K4T7
MD5:	C60A8FC0107FBDBEF9FDD171B44442FD
SHA1:	F0F4187630411D3F6F0DE7ECD98CE99AAD45AAD9
SHA-256:	576A4766C686DC03E95228C84262970BC266ECE801DB7127E68EB8F1080CCFFC
SHA-512:	5E209424A9E25DF565C3648A4350AD76FF144165ACBF02FCD891B1F6EB87AA0CEBE3710F9903D9F796005724B44843E8D36E41768BF2E4188191E97ED58D5C61
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-35SO8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43859
Entropy (8bit):	5.052664414201202
Encrypted:	false
SSDEEP:	768:Bwqtxdo1SeUGLicPI0QhhiLVptabQhOsWx2G+xnd9MfUcL2L5Mc5255cRHjVlPw2:BvrUneKGsIA9B
MD5:	F7320542A3AFF0FC824E6C8D5CA74FBC
SHA1:	F3C273969AC71FB411A5677D23898B7FE0633BFF
SHA-256:	FAAAACD62FDB8F2901ACD5D39CB2D54B9A728B463900AE08916DE586EE9CD521
SHA-512:	8CD8ED594846968FD2932A0E396E4DD1833EC10C4CF4F187C80BE34378E55605AC190EE87A1A47AB335BF19764640FEC14F4A9CE7C5893877EAA995FADBC18BA
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-3IPFD.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43674
Entropy (8bit):	5.051136691912746
Encrypted:	false
SSDEEP:	768:Bwq6xdo1SeUGLicPI0QhhiLVptabQhOsWx2s2x7yjxsqoLq2IDSssDSsaD0iHw8V:BErUneKsyIA90
MD5:	03D5DC91896BD88D15D82608B85FA10A
SHA1:	741A620D22C4A157211C2972E53AF6C402E00036
SHA-256:	0EB740A746A33237558E99DA3599DE9DE975F7CE6C8988CE3E602C89E130BCFD
SHA-512:	5C211CC5A33A7590C5ECF2BCBE479A0EE1AD56CA300D136A752F6BF26CEEC2643825EDC3896550E21C436DB2B76AB895818BF4C9B3EF12E3E481374E322E37EB
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-49C44.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	64381
Entropy (8bit):	4.988979875660243
Encrypted:	false
SSDEEP:	768:qqOk54jXLHT2njX8x3TLjwUtqYepAkVZEdvI9voWaHK372zqfAv4thgC6hPBe76I:qqsGoWapDkFIA9r
MD5:	AAAF94CACA8AD4F92989D297080C2BA1
SHA1:	77028513B9C873FED4C318AB157291519EC95377
SHA-256:	6D5B91A62B02312861BF0F5D77F837E00DDE5A94CF7BEE757CB0436735E736B2
SHA-512:	25DA1A3B06D563D0703528FF2CD4AC95506906C799CE2E96A0259BEA44CB2E77762996E7AA4189459BFDFA7DA0B69403425DF780B10D50CD549407B728C6358B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-CC7L6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42483
Entropy (8bit):	5.0516758116152145
Encrypted:	false
SSDEEP:	768:Bwqtxdo1SeUGLicPI0QhhiLVptabQhOsWx2DqxxqAJ7iYH2qlyTU6Z/6A9r:BvrUneKDZIA9r
MD5:	4419419BD2ABBE30C63B730ADA875674
SHA1:	2946FB19C980B330C1B4719AE6F915520709D99D
SHA-256:	180D6187E16BE50A3649B861A5FB7580F0AE99E949FBE0EAC05FBB5B17BD6F99
SHA-512:	2656094851AFBF719ECC12DE1AAA73C2040DA4FCCD7B4AB4E0FB6130472E606C5F8010A1D58C6D015F5DD8A71DB7C6E14811229FF2360F3D26BFAC4E737CE6A5
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-DGBFQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	41056
Entropy (8bit):	5.04631924061467
Encrypted:	false
SSDEEP:	768:BX9xd/KzuwlRIbQhOsWx1LCrLXI1nc9xi79Jd3z/ijPmhaohJZ/6A9h:BjsKuuIA9h
MD5:	84DEF6EB0D41C6B208DC679FBF4AAF91
SHA1:	4B6E6116E8EA25B37EF6DD43BB8062805E58A099
SHA-256:	22A596F719A6208B8EB3BF93A1025BBB9C92F31F5E3E6E37995AB58B4514B083
SHA-512:	A831344C2D1ED8E2E5339A890A6E2F96160333D90AB1469D0F20C0BF3034068AECCEF609443405E807E01F074B4E4D9CF3BD7A319B2B30FF10727D3644576453
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f297\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Arial CYR;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 020405030504060

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-DLSIE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	52996
Entropy (8bit):	5.037460927420348
Encrypted:	false
SSDEEP:	768:Bk31e0/Yzc00QfHyUCp5N7G5V5V5h5G5P5N5TRrbGY+FNSdE2CUuHctO9P0CS0t0:BV0kIA9I
MD5:	77A17A8F48C96F611F14429D732C1F73
SHA1:	FE3F09AF1390F0C2F780A172450B3CCF54A09CD0
SHA-256:	F2B98A3175FC09320625C396606DA5058A192A5AF54A0C61D491E5FCB7EC96C4
SHA-512:	3A3AE1E13D1E24081A3913B34638DA25DC2FF39BBFB3151464B0E330828D9A3E3AB876E546E90C11E858FF1611F02686874D1106AF59A79F6399EC5DA7F60C26
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \from

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-FPE1Q.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43450
Entropy (8bit):	5.051452976930654
Encrypted:	false
SSDEEP:	768:Bwqtxdo1SeUGLicPI0QhhiLVptabQhOsWx2DKxwaOqBdLE0aWsaeyXH62lGFcaZl:BvrUneKD/IA9B
MD5:	843D629B19FC6C1C760CCCF79DCD8778
SHA1:	E1FD65A3F296C7F966AD9A3CA7C6C970127FCC04
SHA-256:	369458B9EAD9880E66B906332948AE38AEB74173BB24FEFD65B18438FECFCD23
SHA-512:	0C3E239B14888868A2F5FB95A7446E22460819B6DE4C2AE8C23C1E31C25D4FC4B9A04D861ED516A975A8397DB621BA517AB29606FBEAFBD70E7A6131D2604D58
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-GBOLV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42867
Entropy (8bit):	5.0494431999578
Encrypted:	false
SSDEEP:	768:BXKxdC6T2njX8x3TLjwUtqYepfwDyQbLjJAfop7ATX8zOpSyXZSpyEW7HuHlV1Z9:BYFfIA9p
MD5:	2130BD1D1919D711A5AF21035C3503CC
SHA1:	0F92AF4AD5D98942DD464C2D2DBFB2D23FC7BF1B
SHA-256:	C62CAA4DFD7ADE415A27535B12C7B80992C1617106CEA4D271D8B159D97DC724
SHA-512:	28EF2FF5A3AA227A1532E1283EB5D530F8BC45C401B346503A60CA026718D64A5CB020D198DC43B16FCD3FA751E36524D8BDDEB7E8FA9D3209B86211AB728612
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 020206

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-H6GFC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	36818
Entropy (8bit):	5.041090274116406
Encrypted:	false
SSDEEP:	768:BbKxdCpT2njX8x3fDVyOvjU0EGi2YuWZ/6A9m:Bs2TyIA9m
MD5:	FF313FAF3C594763F16D083E7036D86A
SHA1:	E0C366F97CBF210063B17FA453D0A2EAA879953A
SHA-256:	FA691CAE1E17899C0EFA053BE2EFDF95D9E4F13C10F02A7683FA5C88E66F52EA
SHA-512:	2D64CF19B391D3900226225EE74DB20DD5542A1F2A8635A92CB83C0B948A815B5FC28ADF979713417EE97EAE0CB02CCD1E2FF1EA5648A9C250DE60221177FEA5
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimino

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-JM951.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	49864
Entropy (8bit):	5.043460580292076
Encrypted:	false
SSDEEP:	768:Bbi4jegzTJqNgVVhGPNXturfTYlDojU7FDSSmDP3QyYd9RhtAx/IFdNJf+v/AXQ0:BJkethIA9Q
MD5:	C5AC9F8F23886CDA2348A3BC382F8F9B
SHA1:	E18B97EA75873D424D0F0CDD349632CA3C96B656
SHA-256:	EC49E0ED640B29CF852E455D9D0A7666914DC7114D771F514405944F6C8D3733
SHA-512:	4A8FB239C01F8E1A163C6CB75C84884CADBAF0FA25159218D40F73F73A9255353134EA0D64800EAC40E49383085D5EFF05662B78FF43696A69A1FB591C80A7F1
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimino

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-K8R2L.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	46778
Entropy (8bit):	5.04213022372363
Encrypted:	false
SSDEEP:	768:BbO4jB7F2njX8x3nF9k6Bvtk+k1pJKOQBX0hUH/EIvx9WahytOAnkWiwaTdnkmDk:B1hKIA9N
MD5:	F60A5BBD42D01BA5BE2200C53152A370
SHA1:	D5F8ED456623E3D8B44D6D87EDC705A0A27D0382
SHA-256:	7E5BED54A681A9701FBD6B6C12A4A53594DECD4B60AE8087DB96DCAD23DDF72C
SHA-512:	C66DA1A5D293F957A84B9B787B5487CD38A04DE39B4B955E1214954FE64FE14654265F942991A77816DB83BBED95818D1F5EE825B8C5AADD60B2A48EC1CEC841
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimino

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-OPDG4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	36262
Entropy (8bit):	5.030821265978035
Encrypted:	false
SSDEEP:	768:q4OkUx1ETicPI0QhhiLV/gKsmWgFdMXZ/6A9z:q44VUnSIA9z
MD5:	61D796543650EBE8C4A143DCAFAE4D24
SHA1:	54CD649E28D6442AA3946EE9891A156A68A3B2CB
SHA-256:	585B560159CC4BDB9361F30B002CE9AA44AD510FB30A61257076810146B2D918
SHA-512:	201BFB392E79FBC5A62A63610CD19B009ED98C54D5DF34B86C696C757175CD1DB3650B0CE0938C5C3529BD155C9E63E158D153588C723A1F968BDDBF05017A68
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdb

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-OSDSS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37003
Entropy (8bit):	5.038330646707192
Encrypted:	false
SSDEEP:	768:BbKxdCjOcPI0QhhiLVZMB5WjuOBYB1xlmZ/6A9P:Bs5Un9IA9P
MD5:	75DF6CB458A94E38B33006A5BB1AB3CA
SHA1:	7EE17FB0A1760D5C89FC4B86CB98CF3EA71E333D
SHA-256:	81275BC2F9DF017DD33438D44E3F4ACECDAC376281CD5C37F782538D937F8E3F
SHA-512:	89CD75E4140B9C9F90DB760FA806039017AF4558FC74AE5327F547DD7E3DF14710925F1F7C55C648F7A947753B48703A1AC47F905C9EDF454599828F3CD4A86D
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimino

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-PS0FB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	53700
Entropy (8bit):	4.980792929518482
Encrypted:	false
SSDEEP:	768:qqOkbe0ULHT2njX8x3TLjwUtqYepAkVZEdvI9DfLBmKPKPqP/tPw8Ecnv7eJTEcc:qq0EfLBGIA9Jk
MD5:	4F112D455797B724837B7714D54B6621
SHA1:	20351467C091733C0E7F4848B7809D54112143FE
SHA-256:	6ED5F0BC906B1E1A884CCF648C4D81FAD8B0B6D8A13F07BC90796811E6C13035
SHA-512:	928762682FE7FFCB119E93C8AB228EBF62D63763230A2C43F76D9504DC9DB4BF85E0519C2E4245B20FAC038DC83DBDA82FDDB606FD9C7F4552CAA86B61904121
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-T6N91.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	68188
Entropy (8bit):	5.031260319156822
Encrypted:	false
SSDEEP:	768:q4eox1edVW3C79k5haj5g5V5V5h5G5P5N5R5gVVhGPN8turfTYlDSsGx7TYlD+sE:q4N18T22yAwfv1vfvZ9I+kXrPtIA9D
MD5:	FAC5492A79C913CDD25F21166FB2CBDC
SHA1:	F989F1D0D67D3B121AD1B4A491FE81CC6D1C55D2
SHA-256:	5C9D5955EB4E98A177EDA4E4B39BF09E19E3D6B83E634CA5C72CEFBDB8FE7178
SHA-512:	A715FC343E1183806AA428EDF040B6964EEA8492751C6453293729874A77F43867246813625D4C0D62ACBD00DC0BDE267EBF1285B3A96C0C5D5B4C9F0BF5CF7D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-U91I8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	41676
Entropy (8bit):	5.05075856281513
Encrypted:	false
SSDEEP:	768:Bwqtxdo1SeUGLicPI0QhhiLVptabQhOsWx2rvx6qk0oDHvZlLMKFZ/6A9d:BvrUneKrsIA9d
MD5:	CE47EF60A1B6296B4770FEE4454B1E06
SHA1:	5B17759D122086E5E02A32BFB947A8746EF3076D
SHA-256:	9BB74EA64A2AAEC3470E7EE10C1EE4CA70AC357CB6DDF9D6C810869B7A18BB25
SHA-512:	2727839D56824EF21AB7F3340649483F576665EE1B561A2FD72ED31158B6FE2B854880558E991DF5F9B48125A8E85A1E3D88623C0282151285FBCA5470FFE7EA
Malicious:	false
Preview:	{\rtf1\adeflang2145\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1031\deflangfe1031\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\german\is-VVJGM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42553
Entropy (8bit):	5.039163820303254
Encrypted:	false
SSDEEP:	768:qqOkDx1eVGh+DoLLXI1nhDGi3w2EHlT2njX8x3DldDMomI6u5DumZ/6A9X:qqb5nIA9X
MD5:	34E55F7E9F1B2541BE0A17FB6871F9C9
SHA1:	C9E188BCC39C88251CE9CBBA13E20F7BCA48F89F
SHA-256:	B02273E5A9A45909D24B7349E45BE521B9421CB93CE1803BAE7B4FA317443376
SHA-512:	D2C86622CD0726F5A480D11A3734C742D82853467CF3C1FB36F9ADE0873227862E26C366B8DD1E45B8D48F6AF62BA22FCD2C4C8FEEEEC6740B290F3E814ED65D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-2O48G.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	18105
Entropy (8bit):	4.914759029617811
Encrypted:	false
SSDEEP:	384:URE/HLpJKNLC8/c0vrhUhdpZ/i7fTfHV8Vpx+Mq6iYi/pVF8g2EM2luoH:Ue4L5c0dffTfHV8Vpx1q6PGcIN
MD5:	BFB8A8B63285BED940FCB94F09B9831C
SHA1:	68FBB4A6FBBEDBE14F29D35231D7C8042B994FDC
SHA-256:	ED446A54940D338CD9D8EA1EB8F1B5DE55C29E57D370C3DBD789B06CB03F89D1
SHA-512:	B8D5A1657CC038DEB5DDA2B7B3628A637FC9A33D834658F340736534FF54B3F432137902CEAA7B4D409847CF8945850726C25BA43D48572B6DF554D6F1180FEF
Malicious:	false
Preview:	.[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart=" Empec."..tbStartHint="Habilite el registro"..tbStop="Det.ngase"..tbStopHint="Desactive el registro"..tbFind="Encuentre"..tbFindHint="Busque la informaci.n del registro"..tbSetting="Ajustes"..tbSettingHint="Ajustes del programa"..tbAbout="Acerca de"..tbAboutHint="Acerca de / informaci.n de registro"..tbHomePage="P.gina Principal"..tbHomePageHint="Ir a la P.gina Principal del programa"..tbToday="Hoy"..tbTodayHint="Ir al registro de hoy"..tbHide="Oculte"..tbHideHint="El modo invisible (ninguno icono en la bandeja del sistema)"..tbMinimize="Minimice"..tbMinimizeHint="Minimizar a la bandeja"..tbExit="Salir"..tbExitHint="Salir y parada del registro"..gbLog="Registro de eventos"..tCurrLogSize="Tama.o del registro (Mb)"..tCu

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-4GFTP.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	16556
Entropy (8bit):	4.923426103120617
Encrypted:	false
SSDEEP:	192:f9xAt+/MjlJ/5mOT3Y7hOjeJRz1QIGiGUzF6lDCDjY3qfTmXq6Cf3ChMprBarJKk:f9xAt+/YJRm7hOjqRztXjUohQgo2c8q
MD5:	02D8248BD855CDB71040E0F9574F87BA
SHA1:	57DBD8510CF6095AEB388ADC6CA364E24159AA93
SHA-256:	9F3EA2494321C7F328B2BC47A88014325635C375357364A6C3B2E82582B6B92E
SHA-512:	BA298788419944397B942D24DF6728E4E599AC82EEE9B2E55EFE8B064D46DBADD9499C319311D8DADAAF09B05C7817D040166E51F7C8CC61ABB7EAA48DFEF75C
Malicious:	false
Preview:	[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart="Start"..tbStartHint="Enable logging"..tbStop="Stop"..tbStopHint="Disable logging"..tbFind="Find"..tbFindHint="Search for log information"..tbSetting="Settings"..tbSettingHint="Program settings"..tbAbout="About"..tbAboutHint="About / registration info"..tbHomePage="Home Page"..tbHomePageHint="Go to the Program Home Page"..tbToday="Today"..tbTodayHint="Go to todays log"..tbHide="Hide"..tbHideHint="Stealth mode (no icon in the System Tray)"..tbMinimize="Minimize"..tbMinimizeHint="Minimize to Tray"..tbExit="Exit"..tbExitHint="Exit and stop log"..gbLog="Event Log"..tCurrLogSize="Log Size (Mb)"..tCurrScrSize="Screenshots Size (Mb)"..tCurrSnpSize="Webcam Snapshots size (Mb)"..tCurrSoundsSize="Sound files size (Mb)"..tCurrVideosSize="W

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-54Q2M.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	20158
Entropy (8bit):	5.545454487892828
Encrypted:	false
SSDEEP:	384:UZbTxZJZoqbCXEgYNOZFnXzLlWQIrNacgzC8:UBsFXz5W1NaTC8
MD5:	83BB9F0497B9AB6253E89031489B1426
SHA1:	615173830C682F617B432B3FDFAFA6A454F83227
SHA-256:	6F6FF460416BDF31A6F2EA62F313D79C6FC6BF6DCFD30C1A45F82C5A89625135
SHA-512:	41811B650273E10523DEAEFA614C39EB5BE7FD25EB043DAAC44B86B33A9827837DF95861CC848F9DB54FCB09458CA6ED65D68C59FD29B88E5278C050D523717A
Malicious:	false
Preview:	.[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart="...."..tbStartHint=".........."..tbStop="...."..tbStopHint=".........."..tbFind="...."..tbFindHint="........."..tbSetting=".."..tbSettingHint="........"..tbAbout="...."..tbAboutHint=".... /...."..tbHomePage="......"..tbHomePageHint="................"..tbToday=".."..tbTodayHint="........"..tbHide=".."..tbHideHint="....... (..................)"..tbMinimize="....."..tbMinimizeHint="........."..tbExit=".."..tbExitHint=".........."..gbLog=

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-7ITUB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	17555
Entropy (8bit):	4.990937912274833
Encrypted:	false
SSDEEP:	192:UfZj6oFtyWJJJuou35vzX6FcNnAy9+1C9ou8dr0+MjKcEdQAid:UfZj6oFtyWXRybX6Ad4C9q6pEdb+
MD5:	5EF976FE519D1D4642366F2A08E2DAEC
SHA1:	6B15B59F50CF05B244AA1E8005E757296C07C83D
SHA-256:	8A15873AE821FA5633F5148A62582134BFF0605BF3FCEBD644B5EC5D57BC13D1
SHA-512:	EBF8117A224FC59CDB7501720579DBA308EDD5E0B09210872ED392F3CD6E816C4C8751010C34E415EF594EE2AFF10BE1225140B0CE79C912D98FB128ACFAAD0C
Malicious:	false
Preview:	.[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart="In.cio"..tbStartHint="Habilitar registro"..tbStop="Parar"..tbStopHint="Desabilitar registro"..tbFind="Buscar"..tbFindHint="Procurar por informa..o de registro"..tbSetting="Configura..es"..tbSettingHint=" Configura..es de programa"..tbAbout="Sobre"..tbAboutHint="Sobre / informa..es de registro"..tbHomePage="P.gina Inicial"..tbHomePageHint="Ir para a P.gina Inicial do Programa"..tbToday="Hoje"..tbTodayHint="Ir para o registro de hoje"..tbHide="Ocultar"..tbHideHint="Modo Furtivo (nenhum .cone na Bandeja do Sistema)"..tbMinimize="Minimizar"..tbMinimizeHint="Minimizar Bandeja"..tbExit="Sair"..tbExitHint="Sair e parar o registro"..gbLog="Registro de Eventos"..tCurrLogSize="Tamanho do Log - Registro (Mb)"..tCurrScrSize=

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-7RMHJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	21284
Entropy (8bit):	4.955762125650598
Encrypted:	false
SSDEEP:	384:UyK3wUGkRqqS7M2IgCEAIAiIYNwCPjuPTyySHaNM7lcomkn3w:UhgqSUdEpNw+jMTHS6ew
MD5:	9FE66907C231861FA4483CB6E94C3387
SHA1:	F2CB3F6ACD25DEF9E840A8E750DAF6AE1E1D4624
SHA-256:	C80B9CF172E84C3AA2FA1367ACDD8D51A55EDFBCC5E0FDC4308A758F945409A3
SHA-512:	A93883899A1EB2BE1601ADE62FFD07FD60B4707D3F9CCE62A620296BB39497D0505F0699952266D6E515555E9DD7C842F4AC7356E2256BA66FF4161BBBEDD9CC
Malicious:	false
Preview:	.[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart="..."..tbStartHint="..... ......."..tbStop="...."..tbStopHint="..... ......."..tbFind="....."..tbFindHint="..... .. ....... ......."..tbSetting="........."..tbSettingHint="....... ........"..tbAbout="..."..tbAboutHint=".../...... ......."..tbHomePage="...... ........"..tbHomePageHint="...... ... ...... ........"..tbToday="....."...tbTodayHint="...... ... ... ....."..tbHide="....."..tbHideHint="..... ..... (.. .... ... .. .... ......)"..tbMinimize="....."..tbMinimizeHint="..... ... ......"..tbExit="...."..tbExitH

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-BG18L.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	26174
Entropy (8bit):	5.07464655812006
Encrypted:	false
SSDEEP:	768:lBliM0GJTzXqMKG4Yv/DOo8eKjHHhSvMonfGG:8MjTz/yWCo8eaHhW7n+G
MD5:	8F079BA13830C37E365B8E2BD88A3D72
SHA1:	1A8CA8E82B7253233920BD1233A380F198EE99A6
SHA-256:	B0A24D081DE15FD4030DCFC12E981A30B099A865C5F7D73DA996A3E38BE84B8B
SHA-512:	4657BDB5B8DA99E6706697308878ED9942ECECA2FD3ACCDE2174769BEEEFEE4B291FD033572DE8A0D6A397F62885B237A69519ACF1F6B9A4BF425530608ECCFC
Malicious:	false
Preview:	.[LngFile]..##############################################################################..# ........! .. ....... ........ ..... ..... .. ..... "="!..##############################################################################..tbStart="....."..tbStartHint="...... ...... ......."..tbStop="...."..tbStopHint="......... ...... ......."..tbFind="....."..tbFindHint="..... .......... . ...."..tbSetting="........."..tbSettingHint="......... ........."..tbAbout=". ......"..tbAboutHint=". ......... / ............... .........."..tbHomePage=".. ...."..tbHomePageHint="....... ........ ........ ........."..tbToday="......."..tbTodayHint="....... . ............ ...."..tbHide="......"..tbHideHint="......... ..... (... ..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-BSAEG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10729
Entropy (8bit):	4.895193466513973
Encrypted:	false
SSDEEP:	192:UCTESqmmj063CVRDYVifDAXX5B55ZcgqYMLGP6j6zdpc8aS6X:UCTESqmmj063sRDYVif0Xj/KgqYFP6ec
MD5:	E7E0657F38CCCB6A3718C985D1E2123E
SHA1:	C85CEFA9FFFD4C00B9F2AC413B855CC13B4D409D
SHA-256:	9A9851DD493FBA1F982D47FD0EFF2BC5A5CE54F9ED6CE861437803B92A7E70F8
SHA-512:	0D043C7655ED23363AF2AE5C001C879469959B77B0C770AA1A656612F893523288D323A24D02DD5F81B277C773284F50DFB1AD0B4F7FA7F4ECECD9C5688E8B26
Malicious:	false
Preview:	.[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart="Start"..tbStartHint="Abilita logging"..tbStop="Stop"..tbStopHint="Disabilita logging"..tbFind="Trova"..tbFindHint="Cerca informazioni di log"..tbSetting="Impostazioni"..tbSettingHint="Impostazioni programma"..tbAbout="Circa"..tbAboutHint="Circa / informazioni di registrazione"..tbHomePage="Home Page"..tbHomePageHint="Vai alla Home Page del programma"..tbToday="Oggi"..tbTodayHint="Vai al log di oggi"..tbHide="Nascondi"..tbHideHint="Modalit. Stealth (nessuna icona nella barra delle applicazioni)"..tbMinimize="Minimizza"..tbMinimizeHint="Minimizza nel Tray"..tbExit="Esci"..tbExitHint="Esci e ferma il log"..gbLog="Log Eventi"..tCurrLogSize="Dimensioni correnti Log (Mb)"..tCurrScrSize="Dimensioni correnti Screenshot (Mb)"..tMaxL

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-C5N4T.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	15246
Entropy (8bit):	5.241498262971698
Encrypted:	false
SSDEEP:	384:fd+wUQhflYfUg7EXwoXy5Pt/5k9bS+RnZ1vA:fVli88Pt/ObVZG
MD5:	209A6E281884E74DB03D9ABFAED13D84
SHA1:	99042977B81136A8DFBB65D92F33A798467D8E51
SHA-256:	C4212B1EDA9C4515CACC91B96DB6E98F49148D2C314F5851F73BFA4A9A462B89
SHA-512:	C8A321C10E67171BAEA7AC61541C209BEA72E850D3948D88F8CC98D756A855ADE16F1325C9A4EC3980484473B890C32D8054E0A9870FE453CEB65C7324B8521B
Malicious:	false
Preview:	[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart="Ba.la"..tbStartHint="G.nl.k tutmay. a."..tbStop="Durdur"..tbStopHint="G.nl.k tutmay. kapat"..tbFind="Bul"..tbFindHint="G.nl.k bilgisi ara"..tbSetting="Ayarlar"..tbSettingHint="Program ayarlar."..tbAbout="Hakk.nda"..tbAboutHint="Hakk.nda / kay.t bilgisi"..tbHomePage="Ana Sayfa"..tbHomePageHint="Program.n Ana Sayfas.na Git"..tbToday="Bug.n"..tbTodayHint="Bug.n.n g.nl...ne git"..tbHide="Gizle"..tbHideHint="Gizlilik modu (Sistem .ubu.unda hi. simge yok)"..tbMinimize="K...lt"..tbMinimizeHint="Simge Durumuna K...lt"..tbExit="..k"..tbExitHint="..k ve g.nl... durdur"..gbLog="Olay G.nl..."..tCurrLogSize="G.nl.k Boyutu (Mb)"..tCurrScrSize="Ekran Resmi Boyutu (Mb)"..tCurrSnpSize="Web Kameras.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-FEBOU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	17247
Entropy (8bit):	5.760495894350821
Encrypted:	false
SSDEEP:	384:fA4WN9lOQy166uXz7tw7ROcW70cfgjqiK3NuaMV4e:fAfy1LuntiROcWLJuaMVJ
MD5:	20F494133ABF2FBE8F0E93D9197A3A61
SHA1:	377729F86E995833F10E005C54B5B47F769D17A1
SHA-256:	B8BE4611E02739F8B9B829A0B62D747ADA0F7D23BAC45987C1925D6177CEDCE6
SHA-512:	973AB47E514287A4A7383376683A1A18BE138C9D0325103B8CA98D048C385E78BB1A70A0E770217B076B676D804A7F23430183258ABB1E15E22A6B8A5A6222B1
Malicious:	false
Preview:	[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart=".."..tbStartHint=".. .."..tbStop=".."..tbStopHint=".. ...."..tbFind=".."..tbFindHint=".. .. .."..tbSetting=".."..tbSettingHint=".... .."..tbAbout=".."..tbAboutHint=".. / .. .."..tbHomePage="...."..tbHomePageHint=".... ..... .."..tbToday=".."..tbTodayHint=".. ... .."..tbHide=".."..tbHideHint="... .. (... .... ... .. ..)"..tbMinimize="..."..tbMinimizeHint=".... ..."..tbExit=".."..tbExitHint=".... .. .."..gbLog="... .."..tCurrLogSize=".. .. (Mb)"..tCurrScrSize=".... .. (Mb)"..tCurrSnpSize=".. .

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-IND1D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	18477
Entropy (8bit):	4.982235906141159
Encrypted:	false
SSDEEP:	384:Ui/yM5JVBb8Mc2MfcwNx0TiTtGNleNglf8sj1AfDqL:UFGYD+icNleNhcKGL
MD5:	8E01527303041D6B50441EB7651F2B80
SHA1:	D83C41BAE66A98512192845767B1CD0DFA1D166F
SHA-256:	7A651F9B7C4585FFFCD71328590E9972BB7FF149D342D6106BBDE1E9AF7E07B2
SHA-512:	0673F5240D2C2B581615816B12198EB7D85556E6919F2067D8E14CC7538EAD34B528F87E570725EA2203963D1AFFED62CE622BC4A49E7A402FA5FAF3C54278C3
Malicious:	false
Preview:	.[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart="Commencez"..tbStartHint="Activez le journal de bord"..tbStop="Arr.tez "..tbStopHint="D.sactivez le journal de bord"..tbFind="Trouvez"..tbFindHint="Recherchez des informations dans le journal de bord"..tbSetting="Param.tres"..tbSettingHint="Les param.tres du programme"..tbAbout=". propos"..tbAboutHint=". propos / informations de journal de bord"..tbHomePage="Page d'accueil"..tbHomePageHint="Allez . la page d'accueil du programme"..tbToday="Aujourd'hui"..tbTodayHint="Allez dans journal de bord d.aujourd'hui"..tbHide="Masquez"..tbHideHint="Le mode furtif (pas d'ic.ne dans la zone de notification)"..tbMinimize="Minimisez"..tbMinimizeHint="Minimisez au magasin"..tbExit="Quittez"..tbExitHint=" Quittez et arr.tez le jour

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-KO6AT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14985
Entropy (8bit):	6.01225865337666
Encrypted:	false
SSDEEP:	192:9DL/YIoCnMY+innEvlPTgFQXU516bXHsFAp/JflpqJPeNKa:9DL/YIoCnMMnEpEXyb3cAtJfXx
MD5:	D694978CB5837A70DB8846C1D27C68FF
SHA1:	C3693D61AAF98F9F9F3E84A51865DA5B8787BAC5
SHA-256:	86E2EA03E24AF060EEAF5DD6B9CE58225FE2F1AAB929816FCC016A667F57D57F
SHA-512:	526873CD21A713E59C7BB094984A1E25F4A548D9FA0690A5CC6CD715C04B11C8EA629FC46A98340217B329C9771D0658BE3D260893607CDB985D859EA2390B4C
Malicious:	false
Preview:	.[LngFile]..###############################################################################..####### ....... "=".......! ############..###############################################################################..tbStart=".."..tbStartHint="...."..tbStop=".."..tbStopHint="...."..tbFind=".."..tbFindHint="......"..tbSetting=".."..tbSettingHint="...."..tbAbout=".."..tbAboutHint=".. / ...."..tbHomePage=".."..tbHomePageHint="......"..tbToday=".."..tbTodayHint="......"..tbHide=".."..tbHideHint="................"..tbMinimize="..."..tbMinimizeHint="......"..tbExit=".."..tbExitHint="......."..gbLog="...."..tCurrLogSize="....(Mb)"..tCurrScrSize="......(Mb)"..tCurrSnpSize=".........(Mb)"..tCurrSoundsSize="...... (Mb)"..tCurrVideosSize=".

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\is-TA8DN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	17428
Entropy (8bit):	5.0343241161621295
Encrypted:	false
SSDEEP:	384:USTHedgI9UbHmTeCmfwoxKza62zxpZ6oV00azB:U0I2bH2NRKKzwxpZ9j8
MD5:	484F056E4983C28073C2ECF2568253F7
SHA1:	D1E8DC3EFA44A38908D991B1BE27B945DF2B68C5
SHA-256:	E0DEB70E8B09D4F3939B5869CCC265368FDBB79798D70937B563403DAE328F8E
SHA-512:	6572C33278797C6EA1EDADFA9B29545DF0CB2F9DCCF16EFE80E395A97A0B7563C08FFB3380B8E36EB676C3E82E747AE0317F19E918E6D090CE9A59D64167A7C3
Malicious:	false
Preview:	.[LngFile]..###############################################################################..####### Attention! Do Not change the key phrases left of sign "="! ############..###############################################################################..tbStart="Start"..tbStartHint="Erfassung aktivieren"..tbStop="Stop"..tbStopHint="Erfassung deaktivieren"..tbFind="Finden"..tbFindHint="Nach Protokoll Informationen suchen"..tbSetting="Einstellungen"..tbSettingHint="Programm Einstellungen"..tbAbout=".ber"..tbAboutHint=".ber/ Informationsinfo"..tbHomePage="Home Page"..tbHomePageHint="Gehen Sie zum Programm Home Page"..tbToday="Heute"..tbTodayHint="Gehen Sie zum heutigen Protokoll"..tbHide="Verstecken"..tbHideHint="Stelth Modus (Kein Icon im Systempfad)"..tbMinimize="Minimieren"..tbMinimizeHint="Auf Ablage minimieren"..tbExit="Ausgang"..tbExitHint="Ausgang und Protokollstopp"..gbLog="Vorgangsprotokoll"..tCurrLogSize="Protokollgr..e (Mb)"..tCurrScrSize="Screenshots Gr..e (Mb)"..tCur

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-2530F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	7884
Entropy (8bit):	4.965317939103163
Encrypted:	false
SSDEEP:	192:zersYRcg17pzo2uz1FwLcxwSwbzUPhjNAqecUAySMnuturWGi:ZYf7doz1FwLcxwSwnUPhxAqecUAyLuIA
MD5:	83F331C3191915043D3C1F96D04AD2AA
SHA1:	1F5A281457AD229178ADFE68E6ED3C407DD15BA5
SHA-256:	864E70E0CBF1CBB5EF7B65EC5A90D617D299A0C896E17EA6C973BF5D0F44ADA0
SHA-512:	C047F469B1A5BF82D88443D33B1B26AA30B4CB1E5C8A515119B5D62B3D98C4761830761D0813994DAA9BDE86BB7F73ABF47ADDE25A74D6FCEA05D5F0E0E779B6
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\froman\fprq2\fcharset128 Arial;}{\f6\froman\fprq0\fcharset128 Arial;}{\f7\froman\fprq2\fcharset128 Times New Roman;}{\f8\froman\fprq0\fcharset128 Times New Roman;}{\f9\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f10\fnil\fprq2\fcharset128 Lohit Hindi;}{\f11\fnil\fprq0\fcharset128 Lohit Hindi;}{\f12\fnil\fprq2\fcharset128 Arial;}{\f13\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af9\langfe2052\dbch\af10\afs24\alang1081\loch\f3\fs24\lang1040 Predefinito;}.{\s15\sbasedon0\snext16\sb240\sa120\keepn\hich\af9\dbch\af10\afs28\loch\f4\fs28 Intestazione;}.{\s16\sba

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-4NAQN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	40044
Entropy (8bit):	5.023249387110861
Encrypted:	false
SSDEEP:	768:2rF4DO6xByF3LSVj1BgpGk1WhhIHRYRv0lsSTz3BAbZ/6A9u:2raDlZIA9u
MD5:	994EC92B482BB93D1038B2F931B60AA4
SHA1:	130934CF53D1215C4955232421AB44C7CCD1F95B
SHA-256:	9A48D1986A44E9021CE072DE9A9D542357048ABBE6807E4CA151661708969D3C
SHA-512:	5F2424B1B38FC0939FDCF6C29A72067174CB49FC4F97C6CE284570984047B4D5CFBDBB84D63F619DF24B8EAF070FAC3EE71858CD7D9536F5C7920A0AACA895E1
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f39\fbidi \froman\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Serif{\\falt Times New Roman};}..{\f40\fbidi \fswiss\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Sans{\\falt Arial};}{\f41\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}WenQuanYi Micro Hei{\\falt MS Mincho};}..{\f42\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}Lohit Hindi{\\falt MS Mincho};}{\f315\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}@WenQuanYi Micro Hei;}..{\f316\fbidi \froman\fcharset128\fprq2{\*\panose 0

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-6GR7T.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	7640
Entropy (8bit):	4.942902125699651
Encrypted:	false
SSDEEP:	192:6L1GSkFI222K2a2O2G2y2E2+2L6z6C6D6E6f6E6O6Y60yM4Nr2R7sB4OYWkXp+Mm:0sFI222K2a2O2G2y2E2+2L6z6C6D6E6u
MD5:	58A7AD4E00C3C48CAC983EAB83D93722
SHA1:	16790F7FED7A5490C15C6A25CD9851B4953E4CF0
SHA-256:	AE872798A7D87EFC10BA3FC5FE65CB5539F84548163F6DB7278705CE4802A0D4
SHA-512:	D609EA322D6AEF1C3EF5E38C749B9C9D168F9865111ACB8F2408D752C20CCE5E5658CD08EB5D2FE79E4627FC0290B33B0D73858FCC821A9D9981009E27EA96C1
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\fswiss\fprq0\fcharset128 Calibri;}{\f6\froman\fprq0\fcharset128 Tahoma;}{\f7\froman\fprq0\fcharset128 Calibri;}{\f8\froman\fprq2\fcharset128 Arial;}{\f9\froman\fprq0\fcharset128 Arial;}{\f10\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f11\fnil\fprq2\fcharset128 Lohit Hindi;}{\f12\fnil\fprq0\fcharset128 Lohit Hindi;}{\f13\fnil\fprq0\fcharset128 Times New Roman;}{\f14\fnil\fprq0\fcharset128 Courier New Baltic;}{\f15\fnil\fprq2\fcharset128 Arial;}{\f16\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af10\langfe2052\dbch\af11\afs24\alang1081\loch\f3\fs24\lang1040

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-6NV3D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	9031
Entropy (8bit):	4.942487008032181
Encrypted:	false
SSDEEP:	192:6L1GSkFI222K2a2O2G2y2E2+2L6z6C6D6E6f6E6O6Y6Y9jn9js9j39jX9jR9jp9v:0sFI222K2a2O2G2y2E2+2L6z6C6D6E6Q
MD5:	140A646744F5CA2B77DC3CCAB81BE3E9
SHA1:	57D15787E167C9284D0A57DE074749A8A10D6267
SHA-256:	FACA864E826FC4333E1C6D8726C97446A824856214E302B154757A0071BB0666
SHA-512:	F00406EA7C8EDA722707892A86C72A1331F1DEB007A78F34CC27A3B6175D3737AF9DA542F926313644B1CF0D8BAE087529196DBEEC4C7AE6EA3BCD5CE42D0F0F
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\fswiss\fprq0\fcharset128 Calibri;}{\f6\froman\fprq0\fcharset128 Tahoma;}{\f7\froman\fprq0\fcharset128 Calibri;}{\f8\froman\fprq2\fcharset128 Arial;}{\f9\froman\fprq0\fcharset128 Arial;}{\f10\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f11\fnil\fprq2\fcharset128 Lohit Hindi;}{\f12\fnil\fprq0\fcharset128 Lohit Hindi;}{\f13\fnil\fprq0\fcharset128 Times New Roman;}{\f14\fnil\fprq0\fcharset128 Courier New Baltic;}{\f15\fnil\fprq2\fcharset128 Arial;}{\f16\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af10\langfe2052\dbch\af11\afs24\alang1081\loch\f3\fs24\lang1040

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-AASS6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	76355
Entropy (8bit):	4.982630349215747
Encrypted:	false
SSDEEP:	768:KewXZEMuTyIT+TWkN+3vMHRYRv0lTiHRYRv0lTiHRYRv0lHiHRYRv0leUE/lLr/6:KeMEZgIA9C
MD5:	0DD30E30324435D32C3336875F79F308
SHA1:	6F38100EBA73AAD482B1B290FF5C21DD0C3AA692
SHA-256:	D9939A99B67D9267B439373CC44EE14A10432AF1BB3AEB6EBBDDE1839EDCBD99
SHA-512:	62513A5EDAF36F0D69A9519F74795659493A1B0C9B9E662D0AF4C15A7F68043F6C3A2F9231D9C949572D787524448C8F31B4A6AE9D242FB28758BA084C3B9545
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch11\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f39\fbidi \froman\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Serif{\\falt MS PMincho};}..{\f40\fbidi \fswiss\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Sans{\\falt Arial};}{\f41\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}WenQuanYi Micro Hei{\\falt MS Mincho};}..{\f42\fbidi \fnil\fcharset128\fprq2{\*\panose 00000000000000000000

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-DL32B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	17786
Entropy (8bit):	4.892369802650086
Encrypted:	false
SSDEEP:	384:TQ5h222K2a2O2G2y2E2+2L6z+CSD6E+fSE6O+YSY6z+CSD6E+fSE6O+YSS6z6C6w:TQ5h7HvTrbVLWsXixqh/1JsXixqh/1X+
MD5:	B7BE54FA07192D11B0624600C99D449E
SHA1:	372509E74C98F5BAE5A50088B4AA1B18711C834F
SHA-256:	0F599243F6282C72AAC90EEF278B4F7BD5B78161508E494ABAC24E719702DDDB
SHA-512:	20C131AE058B058F60D97E21D7E49BAB6FEC975229AFF7302F6559975CEA91F81130F8D1C15E7200A53A61AFB935FE7B3D608838AA0190A42D09D02C168CFE1C
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\froman\fprq0\fcharset128 Calibri;}{\f6\froman\fprq2\fcharset128 Arial;}{\f7\froman\fprq0\fcharset128 Arial;}{\f8\froman\fprq2\fcharset128 Calibri;}{\f9\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f10\fnil\fprq2\fcharset128 Lohit Hindi;}{\f11\fnil\fprq0\fcharset128 Lohit Hindi;}{\f12\fnil\fprq0\fcharset128 Times New Roman;}{\f13\fnil\fprq2\fcharset128 Arial;}{\f14\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red255\green0\blue0;\red0\green32\blue96;\red35\green0\blue220;\red0\green69\blue134;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af9\langfe2052\dbch\af10\afs24\alang1081\loch\f3\fs24\lang1040 Pr

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-GL0JJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10281
Entropy (8bit):	4.953685836066729
Encrypted:	false
SSDEEP:	192:6L1GSkFI222K2a2O2G2y2E2+2L6z6C6D6E6f6E6O6Y6Y9jn9js9j39jX9jR9jp9S:0sFI222K2a2O2G2y2E2+2L6z6C6D6E6Z
MD5:	8D669B205AF7D1401C340D474FADE116
SHA1:	C61F519EF768F519E93F456D61FCEFE93EF1A058
SHA-256:	2B01786D3BA405BAA36920EF092701AF28CEA08F56507D4DE9717D47474C3B65
SHA-512:	0697175789BE81C29F0FBB5DD815FB46B553A6D241D8936C0E29F95D23651A2B730A893B98C90F6F3494B93FF0144F05DE95DB24D089EC01084C0FC8E36B3F70
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\fswiss\fprq0\fcharset128 Calibri;}{\f6\froman\fprq0\fcharset128 Tahoma;}{\f7\froman\fprq0\fcharset128 Calibri;}{\f8\froman\fprq2\fcharset128 Arial;}{\f9\froman\fprq0\fcharset128 Arial;}{\f10\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f11\fnil\fprq2\fcharset128 Lohit Hindi;}{\f12\fnil\fprq0\fcharset128 Lohit Hindi;}{\f13\fnil\fprq0\fcharset128 Times New Roman;}{\f14\fnil\fprq0\fcharset128 Courier New Baltic;}{\f15\fnil\fprq2\fcharset128 Arial;}{\f16\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af10\langfe2052\dbch\af11\afs24\alang1081\loch\f3\fs24\lang1040

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-JE1SK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11858
Entropy (8bit):	4.924418755277587
Encrypted:	false
SSDEEP:	192:F9jmDF3222K2a2O2G2y2E2+2L6z6C6D6E6f6E6O6Y6goaB7lE9mNUrloY1gTEzGS:Hq53222K2a2O2G2y2E2+2L6z6C6D6E6u
MD5:	D6E34C937850FDC0AB38B06FE809B95C
SHA1:	A4480E9E250F5C3DC5BDD69696AB9F6EB12E8A56
SHA-256:	355420286A6BCDB2190129A5507012B55DC41FB0660ACE771D09F6E60FAFA173
SHA-512:	47F77867C8A5746DF79A29ABA70360BB2DF54F41C08B4B15E831421F76F24DC6B6AF0EE837084E5DDED8DAE3B549AD3236B5D668852BF357F990244FCE2E9D05
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\froman\fprq2\fcharset128 Arial;}{\f6\froman\fprq0\fcharset128 Arial;}{\f7\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f8\fnil\fprq2\fcharset128 Lohit Hindi;}{\f9\fnil\fprq0\fcharset128 Lohit Hindi;}{\f10\fnil\fprq0\fcharset128 Times New Roman;}{\f11\fnil\fprq2\fcharset128 Arial;}{\f12\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red255\green0\blue0;\red54\green95\blue145;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af7\langfe2052\dbch\af8\afs24\alang1081\loch\f3\fs24\lang1040 Predefinito;}.{\s2\sbasedon15\snext16\ilvl1\outlinelevel1\ql\widctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb100\sa100\keepn\b\hich\

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-LGDI9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10431
Entropy (8bit):	4.953862205312216
Encrypted:	false
SSDEEP:	192:su79jU9jV9jW9ju9j89jM9j39jO9jR6z6C6D6E6f6E6O6Y6Y222K2a2O2G2y2E2S:X9jU9jV9jW9ju9j89jM9j39jO9jR6z6o
MD5:	F253166C14180CDA4CF3682EBDA81E10
SHA1:	42CB7285AE2A1D8FFFBDB8E92DD762F116E6E5E7
SHA-256:	21604302E29A98F4F73EB4DD22C1B3FD52840C05B9438769E8568E69A2AD6890
SHA-512:	26EF9FFCDBE8D66B92954FA2DC046B7049B772B789BD4192D62CCDEA211D613413B241E1527396FCCF6087B041A526641C9D12F5C29810637C42AFF812A15061
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\froman\fprq2\fcharset128 Arial;}{\f6\froman\fprq0\fcharset128 Arial;}{\f7\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f8\fnil\fprq2\fcharset128 Lohit Hindi;}{\f9\fnil\fprq0\fcharset128 Lohit Hindi;}{\f10\fnil\fprq2\fcharset128 Arial;}{\f11\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af7\langfe2052\dbch\af8\afs24\alang1081\loch\f3\fs24\lang1040 Predefinito;}.{\s15\sbasedon0\snext16\sb240\sa120\keepn\hich\af7\dbch\af8\afs28\loch\f4\fs28 Intestazione;}.{\s16\sbasedon0\snext16\sb0\sa120 Corpo testo;}.{\s17\sbasedon16\snext17\sb0\sa120\dbch\af9 Elenco;}.{\s18\

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-N7MCP.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11086
Entropy (8bit):	4.962530121956413
Encrypted:	false
SSDEEP:	192:R2KwSyFd222K2a2O2G2y2E2+2L6z6C6D6E6f6E6O6Y6Y9jl9ju9jV9j19j/9jX9C:Mrpd222K2a2O2G2y2E2+2L6z6C6D6E6h
MD5:	74D21CC581EFD9F3D31C02D2AD6A7881
SHA1:	701EEEA34850D7EE69EFF56E2344A79A7EAD147E
SHA-256:	9F632C17885E51A74C7875780F422952F1BC64DB978D8EBA765251F692C603E3
SHA-512:	97EC2913358966E62D5D69BD63D0D3C378457BE371702957F25358BAB2DD1C514F92AF769C4FA1A1A4CD3B23F1F7C0358E7B838CC80163CF78775634D4CAC8A4
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\froman\fprq0\fcharset128 Tahoma;}{\f6\froman\fprq2\fcharset128 Arial;}{\f7\froman\fprq0\fcharset128 Arial;}{\f8\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f9\fnil\fprq2\fcharset128 Lohit Hindi;}{\f10\fnil\fprq0\fcharset128 Lohit Hindi;}{\f11\fnil\fprq0\fcharset128 Times New Roman;}{\f12\fnil\fprq0\fcharset128 Courier New Baltic;}{\f13\fnil\fprq2\fcharset128 Arial;}{\f14\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af8\langfe2052\dbch\af9\afs24\alang1081\loch\f3\fs24\lang1040 Predefinito;}.{\s2\sbasedon15\snext16\ilvl1\outlinelevel1\ql\widctlpar\faauto\li0

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-N7O2G.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	47653
Entropy (8bit):	5.01810800814238
Encrypted:	false
SSDEEP:	768:2rFexbO6zLpzBDlmvTpIq7GHAR1BgpGk1WhWHi2mM47g0qO2ug04+2WNvg0tQ5qD:2rYbRs7d9ZvIA9t
MD5:	6E75BBD29A0618A73B2937F650F0F678
SHA1:	93EDB94323E37DDD1EC717F4A492442B6B611E3B
SHA-256:	718470BBCEF949095939C54CECB91D117D255A5279D55A204664CE52D1235180
SHA-512:	91C452D52360B231869031CB61255E83AF5D95D0F8C3A2AA0419AF659766E6E1CF4FD16FCE7C85A5EA5164E05C84282D0AA019FCAD85E292BE6D71400FA5D88E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f39\fbidi \froman\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Serif{\\falt MS PMincho};}{\f40\fbidi \fswiss\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Sans{\\falt Arial};}..{\f41\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}WenQuanYi Micro Hei{\\falt MS Mincho};}{\f42\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}Lohit Hindi{\\falt MS Mincho};}..{\f315\fbidi \fnil\fcharset128\fprq2{\*\panose 00000000000000000000

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-NH7US.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	9082
Entropy (8bit):	4.946432574686308
Encrypted:	false
SSDEEP:	192:I2KrPDFr222K2a2O2G2y2E2+2L9jn9js9j39jX9jR9jp9j+9j79ja6z6C6D6E6fp:7Q5r222K2a2O2G2y2E2+2L9jn9js9j3u
MD5:	54A49395929B70CCABC6247E0EA0F779
SHA1:	E522282035DAFE7216BF45CC21762172914D5949
SHA-256:	544C05722BA2824B871D8DC37CC442BF791C266F0E90D96C9A06BF3195D90AFA
SHA-512:	8111740D216DC20333574D61B4C3B39288846315B1EC0214E91B9633D5B48AF8EDF51C77432D0D1FAB10B961D81E6AA4ED981661D37E41DF3E9DD05C9B746DB4
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\froman\fprq2\fcharset128 Arial;}{\f6\froman\fprq0\fcharset128 Arial;}{\f7\froman\fprq2\fcharset128 Arial CYR;}{\f8\froman\fprq0\fcharset128 Arial CYR;}{\f9\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f10\fnil\fprq2\fcharset128 Lohit Hindi;}{\f11\fnil\fprq0\fcharset128 Lohit Hindi;}{\f12\fnil\fprq0\fcharset128 Times New Roman;}{\f13\fnil\fprq2\fcharset128 Arial;}{\f14\fnil\fprq0\fcharset128 Arial;}{\f15\fnil\fprq2\fcharset128 Cambria Math;}{\f16\fnil\fprq0\fcharset128 Cambria Math;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af9\langfe2052\dbch\af10\afs24\alang1081\loch\f3\fs24\lang104

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-PJS0O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10229
Entropy (8bit):	4.949701462728225
Encrypted:	false
SSDEEP:	192:6L1GSkFI222K2a2O2G2y2E2+2L6z6C6D6E6f6E6O6Y6Y9jn9js9j39jX9jR9jp9z:0sFI222K2a2O2G2y2E2+2L6z6C6D6E6o
MD5:	328B6D1A72880E42399A6A9FAAE89707
SHA1:	B90F232CBADDD083D3E72EED57B362DBB5BB6B89
SHA-256:	731252A5DD9F5F1D6BAF95F06B86795064735EF2EDB2A7B0A0400535B28FB1C2
SHA-512:	70D96DB14DF3EA083AF7512998DBD565CD5DDEFDA0CB61A3378B9563642CB5FACD4D80A70763A454BE7B7BF4AA28A60C9B31AF7916066C9E56C5DB1A6F3D93D8
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\fswiss\fprq0\fcharset128 Calibri;}{\f6\froman\fprq0\fcharset128 Tahoma;}{\f7\froman\fprq0\fcharset128 Calibri;}{\f8\froman\fprq2\fcharset128 Arial;}{\f9\froman\fprq0\fcharset128 Arial;}{\f10\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f11\fnil\fprq2\fcharset128 Lohit Hindi;}{\f12\fnil\fprq0\fcharset128 Lohit Hindi;}{\f13\fnil\fprq0\fcharset128 Times New Roman;}{\f14\fnil\fprq0\fcharset128 Courier New Baltic;}{\f15\fnil\fprq2\fcharset128 Arial;}{\f16\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af10\langfe2052\dbch\af11\afs24\alang1081\loch\f3\fs24\lang1040

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-R22EE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	7403
Entropy (8bit):	4.92938927718366
Encrypted:	false
SSDEEP:	192:su76z6C6D6E6f6E6O6Y6K222K2a2O2G2y2E2+2tuADuEXu6mp49T20l49D7D7DP:X6z6C6D6E6f6E6O6Y6K222K2a2O2G2yx
MD5:	3D3D6A046CC73D49EA8D98E66103EBC5
SHA1:	3F3F6AD63BEE3F893EE2F57AF6D261AFD0A8C639
SHA-256:	344EBAAFF1EC7B1BF2A627DD9A5F1B0D3C5D968F23ADA7D6A7175767B29AF483
SHA-512:	405236F4E6F223EFD593A22047B79156ED9695DDE0EB4BB4261891375C3FE586251AD3E9EE9EDF914AC02AB7C51887F16A5897915B0BEE8CC708CF6B116D9342
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\froman\fprq2\fcharset128 Arial;}{\f6\froman\fprq0\fcharset128 Arial;}{\f7\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f8\fnil\fprq2\fcharset128 Lohit Hindi;}{\f9\fnil\fprq0\fcharset128 Lohit Hindi;}{\f10\fnil\fprq2\fcharset128 Arial;}{\f11\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af7\langfe2052\dbch\af8\afs24\alang1081\loch\f3\fs24\lang1040 Predefinito;}.{\s15\sbasedon0\snext16\sb240\sa120\keepn\hich\af7\dbch\af8\afs28\loch\f4\fs28 Intestazione;}.{\s16\sbasedon0\snext16\sb0\sa120 Corpo testo;}.{\s17\sbasedon16\snext17\sb0\sa120\dbch\af9 Elenco;}.{\s18\

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-RPKNB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	6776
Entropy (8bit):	4.952214417097897
Encrypted:	false
SSDEEP:	192:su76z6C6D6E6f6E6O6Y6K222K2a2O2G2y2E2+2PuADGE7lqWiNBXa98XP00PDDP:X6z6C6D6E6f6E6O6Y6K222K2a2O2G2yp
MD5:	1BD6D948821BAAD56E7BD929CE99BC3E
SHA1:	87753F34928DF1FDCE8D2AE17A734E2D032B7392
SHA-256:	179807CC391D4A379560F1E9119C44DBD0F8BABD7C9581758DDFD2C24D15CCA5
SHA-512:	CD8934815BBF3C6AA344CEDCA40732E4428DECC0F122F124B3AECD1720BA89A7D5A9BA0EE8AE4675C57C56B3ABFC44BB2AF2A868111ED7D23D156BCEAF0D6ADF
Malicious:	false
Preview:	{\rtf1\ansi\deff3\adeflang1025.{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Liberation Serif{\\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset128 Liberation Sans{\\falt Arial};}{\f5\froman\fprq2\fcharset128 Arial;}{\f6\froman\fprq0\fcharset128 Arial;}{\f7\fnil\fprq2\fcharset128 WenQuanYi Micro Hei;}{\f8\fnil\fprq2\fcharset128 Lohit Hindi;}{\f9\fnil\fprq0\fcharset128 Lohit Hindi;}{\f10\fnil\fprq2\fcharset128 Arial;}{\f11\fnil\fprq0\fcharset128 Arial;}}.{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}.{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af7\langfe2052\dbch\af8\afs24\alang1081\loch\f3\fs24\lang1040 Predefinito;}.{\s15\sbasedon0\snext16\sb240\sa120\keepn\hich\af7\dbch\af8\afs28\loch\f4\fs28 Intestazione;}.{\s16\sbasedon0\snext16\sb0\sa120 Corpo testo;}.{\s17\sbasedon16\snext17\sb0\sa120\dbch\af9 Elenco;}.{\s18\

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-THLM6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	63202
Entropy (8bit):	5.0029718648708466
Encrypted:	false
SSDEEP:	768:2rFe93O6zLpzBDlmvTpIq7GHARFpIq7GHA51BgpGk1Whu8rmqCazg0WOxuiOQY5S:2rg3RsJ9QVTXDIL909IA9g
MD5:	594C4769CE1B93FC6DBBC77DA6F418E3
SHA1:	249D9C71787DD927F5D7A132BB623A67CE891331
SHA-256:	20C3816B794BBD2CCF2C4D491B6985359107F41C4519F89111D723CC9349A512
SHA-512:	5564395CCABEC5912D5A5ECF76615C375176CEB7D45D99D232FAE6EFE6B0F893B56C6EFBBB0B2D5ECCA0B8405F67E8185B136CB64B534D65FDB6FE34E8B9E962
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\f39\fbidi \froman\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Serif{\\falt MS PMincho};}{\f40\fbidi \fswiss\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Sans{\\falt Arial};}..{\f41\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}WenQuanYi Micro Hei{\\falt MS Mincho};}{\f42\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}Lohit Hindi{\\falt MS Mincho};}..{\f316\fbidi \fnil\fcharset128\fprq2{\*\panose 00000000000000000000

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\italian\is-U3U93.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37355
Entropy (8bit):	5.0224273603988925
Encrypted:	false
SSDEEP:	768:2rF4DO6zLpzBMRQ1W7MiynhCGm7aVZ/6A9a:2raD7IA9a
MD5:	72215D6BB69B80AD421E5FBEC9CEE983
SHA1:	4DC407E1BF25A18F3C9B2F2E94440D3A0AC505D8
SHA-256:	0B1A02997F8DC944153BBEA47C302C3A155B1363A2A4F6A23218EB1BA9D1ACD8
SHA-512:	D1F1409D1E0946F84F3D3D3FBBB90BB23195A84402E0DA16A102C62E1198F28AB80046E805A3B4CAAD0B61039E07B57350133F1E0DCB3142A0B2487F1F1174B4
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f39\fbidi \froman\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Serif{\\falt Times New Roman};}..{\f40\fbidi \fswiss\fcharset128\fprq2{\\panose 00000000000000000000}Liberation Sans{\\falt Arial};}{\f41\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}WenQuanYi Micro Hei{\\falt MS Mincho};}..{\f42\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}Lohit Hindi{\\falt MS Mincho};}{\f315\fbidi \fnil\fcharset128\fprq2{\\panose 00000000000000000000}@WenQuanYi Micro Hei;}..{\f316\fbidi \froman\fcharset128\fprq2{\*\panose 0

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-38B88.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	47337
Entropy (8bit):	5.026858098463381
Encrypted:	false
SSDEEP:	768:xaOfIRjZyPCtqICnfLBOHjiqlO8DTO+6X9MsHEW71vUGF87etnC+zc7R+ezr21gQ:xapnVMNkfS
MD5:	F4E08AB548997A7569D407BF6945FF93
SHA1:	374C962B0AD68A101B3DAED59995A904FD2366DF
SHA-256:	5F43BA173258F401DEBA2C385FC136464F11F0BF9C9122D5CB1EDDBBA356D24F
SHA-512:	9F6F81663CCC54ED4B6E57770247EBDE16327C46ACFE14EF01BC3CF1172D9647AFDBED40FA59115DD41BA746428368A34C4307AA4D7B0093C88D86F8C4BAA982
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharset2

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-3RI1C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	38881
Entropy (8bit):	5.021685226499464
Encrypted:	false
SSDEEP:	768:jnTmrRl+4AnbIWIRV9u6KSsouXIhUGD+hZCZHHuJfD:jnIZNkfD
MD5:	C105B94880EE7C216A6B9CB11680EE5F
SHA1:	DB8A5F0969428FC77D619742CF14E733281491EE
SHA-256:	1F56475447CBCFC209E9BC0BEF763423EA52CDBC4EBB989EC592025C907C8EAF
SHA-512:	18D9F4336DCD746E374B70D297F5F555745CCBFCDE08689B50BEF3C2CD7A7714867F747472240EE195161142C3DC8A93C985FE6D8D66D7F46878C25B45D99A67
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Calibri Light;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \fnil\fcharset134\fprq2{\\panose 0201

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-5GF48.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	46478
Entropy (8bit):	5.035284697457925
Encrypted:	false
SSDEEP:	768:jFTmHRlr4QogJAqxAUZ81f4igFt5hCteYHIGdLN1Ho3SShcYZVVkiikVi/nuAIRD:jFuqNkfh
MD5:	7EA6627CEC93F45827C17C30BFE21F60
SHA1:	BA5C79789734B4CD143BAAE12DECE8C07FD18427
SHA-256:	6FFBE7F2A89F1128FA7A950F7B1797E2B73E70839FB7EB79EE5B906C50CB8665
SHA-512:	D8C7ED9808A9045B0BE3D247C06F81FB5563F86DAAC704EB1D056AF0799716B6FA0470D81698F28EE72C5B937E0825F1CE42A9F354CA4C61173A0E72DFCB79ED
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}..{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Calibri Light;}..{\fbimajor\f31503\fbidi \f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-8BVI0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	68811
Entropy (8bit):	5.0062740217102695
Encrypted:	false
SSDEEP:	768:qMF2weRlqEW0TgegJ9Vte5iMSf3TDcbIWIRV9hMJu8WjbvH/o2ZuTCHF3wZxyiQg:qMChO5Nkf5
MD5:	9904281F0A850031B5DC777E69ACE68A
SHA1:	1B630CE1A72C6F2A1CB9C8B7A1FC81C2FD2ED3F0
SHA-256:	5888B749E1FC255BF39896EABE4B24B461BB4904549B1050AE8AE72296B72F11
SHA-512:	22C5E7E021B2428225E1595EBF628C83A97BCB76F7D52DD330F72F232E42B9BDAFCDB92A3B858909399700AC1A6FAED2A5A5138B1D66258937698D1684701905
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-98AR7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	55605
Entropy (8bit):	5.01205567474232
Encrypted:	false
SSDEEP:	768:joOfxRl14hJboyQZFJiMJu8WjbvMuhisSnPLQStqICnfLrajKyISfle0anZf1L3v:joQxkONkfp
MD5:	2042C1CEA9DAB7F908912F3BFDF63E63
SHA1:	5584A50BCAF968B5EC85B230E9043456D38C8222
SHA-256:	D67F0917369F9D4C556E2F625566C239FEE4DDB6AEF1483DCB2556F23DD3785B
SHA-512:	B0C961BA725096E33D3B586951221A35A77A56D63E0003C301AD30F6D6DB94DF6853124EFE7FE8817F7EEF9F7972434AFC65010885BCE4A9BEFB60D7FF9A5679
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 020206030504050

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-EO5KE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	41900
Entropy (8bit):	5.016535633453485
Encrypted:	false
SSDEEP:	768:xoOfYRj7jOcPI0QhhiLV6qiTqP7Mi6uxPwjmkoASoGpngl4ZbbsVj72Q/za1CkCI:xobqUncV/QNkf8
MD5:	4610A71940E165CB27249C3133800D76
SHA1:	395941C9ECEE674429A1108075F9DD0A241CF28B
SHA-256:	AAE092EC9F04F37A0059D595A581A9818DB18A4247B95F237E20EED5571BC843
SHA-512:	D297B3B4AEA83E3107A0C799A238C40060BBF7247DEFEF0E179A2F61ADF06442BFC90577C705CAB0D3D2D0D12BD3C86F56C0B5ED971087C47A1973B54853DE32
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 0202060305040502030

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-FU6SG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	38875
Entropy (8bit):	5.023304885435034
Encrypted:	false
SSDEEP:	768:qMF2weYDc4L7bIWIRV9uUwcpanBczRyZHHuJfv:qM3ZxNkfv
MD5:	AA188680DBFDD29FCFD5767CFC4533D9
SHA1:	3CF7AC902EE42B074B4B5ED13E4529FD11A34ADD
SHA-256:	CC3FA96A625899F9221F3E76B6AB9C7B234DC7A4222C914EC9A78A7AA2D64825
SHA-512:	76C22CF016FF8C7C1122E5738FDCF79957D24A4590EAD2FE570CA833D1CF828F8B333CD105B2078AEF2032C503C03BC2536290E5302417D383889045E3B84817
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-HRSEC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	49143
Entropy (8bit):	5.0303602087233
Encrypted:	false
SSDEEP:	768:qOF2w9Rll41gJAqxAUZ2ipwQduXLwzq3PtDxdMNzx9AW94V2sQSuUNKKLz5cZecD:qOhKZkos
MD5:	45FFBE8D6F213774FC03CED4B2C6DE2F
SHA1:	B206C836CD793CB43A90FB7F55F20BCD0E588F45
SHA-256:	D4928483BCC0FF7D15BD5B6B6669B82645EA4EC7C454A1F3BCDAFE0E984466BF
SHA-512:	3153444C8413A6E6F6B4B1D0603E18D282A1B5DCAAC064FEFF2F8D9CF63AF5C7F7DDFBC77F26789384FF0E056741C615158570FD0B65114CE493692516316086
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharse

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-JCVO4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	47415
Entropy (8bit):	5.015734147683168
Encrypted:	false
SSDEEP:	768:jnTmY+EN4mXbIWIRV9sK8qoZzNqZiuJo8cDovLQoAn3Brxw2mB+c37DWZlIpIkpU:jnciZhNkfY
MD5:	A7A6E83C7BF0C9446D815E04CB208372
SHA1:	793D0F666A6E771A4864B169BBE282F943D5D043
SHA-256:	B5323857EF076CBEBD3B870F4C8EB5C58B968ED51ACB6821C0A93C2FFE53A1AB
SHA-512:	A5B09DD7D7C362B1807F6B9216318AA3598943688EFA39D4E15DB49DCE7743C9DC2574DC182BFCCFBB3501A7A1273A073FC97F8BC714084806B16DC8F43B49F5
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Calibri Light;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \fnil\fcharset134\fprq2{\\panose 0201

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-K0784.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43011
Entropy (8bit):	5.033750943906381
Encrypted:	false
SSDEEP:	768:jaOfIRll4ugJAqxAUZm25iMSf3Tv5itocjSzFkkqYrMOFAPZ/HuJctS:japiZkoS
MD5:	F7FE0658461246679F5FD2A30AF4F9AE
SHA1:	878199CEF5C2AB4748658880B8A9302CF754216D
SHA-256:	D65035962FAF4E5AEC76B8EB56E186E14907CD955511B21F2E212CF706F08940
SHA-512:	A9232C63302DCB47FD8A53DEF4A5B6A8BAAC23766F98D8051751B3AB4A12F9F1D12644DE7E5E5AC897506D7C33FA2803E3FDC241457F3F925EEB42CC6384D874
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fchar

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-LBO0Q.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	38831
Entropy (8bit):	5.022754170432963
Encrypted:	false
SSDEEP:	768:wMF2weYJK4J7bIWIRV9OOVQjwQ49PomsZ/HuJct9:wM3wJF4Zko9
MD5:	01A4A15CD5BE8B0E0E0B34200D995311
SHA1:	D30F6F8219B9B3E91F9D1D0C5283F94A6CF0F124
SHA-256:	D8A325D699C34E761833F16416EEBAAB43AA66454D08B7ECC40B4E5B89C1DF80
SHA-512:	7C968B597067F2E0D0645219A96284C9868298F184FBB479CE214E7F997C353817F079C40D8BC7F79AAAAC42AAF216D33ACEC6407F1B24E60DBA4876426A734F
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-LFK0Q.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	40154
Entropy (8bit):	5.0200796695222865
Encrypted:	false
SSDEEP:	768:xoOfYRjCjOcPI0QhhiLVjLqPQcCTjwC9UqUkVuss8HD43p8ZHHuJf5:xobLUntNkf5
MD5:	8360940E8A2388A3DE31148F9ED5DCBF
SHA1:	6B44DF438877025970E59C226D3F3D347CCDC264
SHA-256:	AE905D395961C89647DF96F870FB8BFB199D72FF40BD62C6B95413C06CC03927
SHA-512:	1E58457C3359EEED8C187A5F60C09D6CFEAA3A995BE0FD3F22690A02383DF9DEFE5B60EFA1BF8B4FC0975B17683629292D3118DF670C4CBF1DF3141B73D4ACF5
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 0202060305040502030

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-MDS5A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44111
Entropy (8bit):	5.034804043043812
Encrypted:	false
SSDEEP:	768:jaOfIRlU4LgJAqxAUZa25iMSf3TaCkqooYidqm4eEHEvsEJ5sCXSIKEjZHHuJfM:jap7NkfM
MD5:	D6C4CE3A479398A0C89448CF3D344268
SHA1:	03399F4D355A631C8504B35AA82238E444D2A75E
SHA-256:	56DA26981FD5603C5BB388D63B900EF90B42234F9FA6EA48BC7650BC609CC187
SHA-512:	838AE1B09A693DE3A21C37087192C58F56D1D318A6265DA290CA1AB449DA85716BDD8B0D32B0D6D37EAADEDD2D8B89F31BC1F8A800A28B058286490A4720E9D0
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fchar

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-NH8K0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43205
Entropy (8bit):	5.029790593334823
Encrypted:	false
SSDEEP:	768:joOfYRlj4lmbIWIRV9hiuFfmXYPxz7XzzMVFGqpJzVnz2T8VngbYh8snZHHuJfO:joblNkfO
MD5:	D4CB2191EA1740D821C8C26C19033BE6
SHA1:	3544CFF8E4BCF6BA57A63585AD6DAA2D244DC6D3
SHA-256:	7C075B420A250AC2F36DDAC2834B422FF8B858B0D6E02A9BF7AA5A40FFF6AB39
SHA-512:	D23AB39C0ABA07D99D7F03FAB498C2DADC81247FBC98DD758ABB94413041778BA5A83372F0F5AC20911B1C5F6B61313D6EBA26E966110F482B6B23D3BDAD94CF
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 020206030504050

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-OUET2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42824
Entropy (8bit):	5.034062607884397
Encrypted:	false
SSDEEP:	768:jFTmHRlU4U7bIWIRV9pqHjiqlO8Dxg+uoH6ewDiUpk8q8l9kSZHHuJfo:jFulNkfo
MD5:	800E7AD84A7B41C281A79786FEA7BA97
SHA1:	994E9061F0AC0F8D5A34B5456B3CB580216F08F6
SHA-256:	6D4DC10220486F098944FBCE97F8B5D03DA6157F7B59F79AF697D60AEDBDAC82
SHA-512:	887318DB58E88701D2B34B7E894EE2132684D0E3C724BC1B6EBA83C5987ECC1D7984018C8915AD0E7EE63E46C8C4258D7F286D2CE804DDFB37289F37676EB5F8
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}..{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 00000000000000000000}Calibri Light;}..{\fbimajor\f31503\fbidi \f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-TG56M.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44016
Entropy (8bit):	5.032158423293101
Encrypted:	false
SSDEEP:	768:jaOfIRlR4kgJAqxAUZC25iMSf3TIDgE6/o4WGrHwoKkASAt4Nb4B9SZHHuJf5:japUUNkf5
MD5:	CA0B924C577837EAB433DFACF50B0A2B
SHA1:	5FE70BC33A1A72354EB7CFA7327F993383F5CBF3
SHA-256:	62C5D1371C91B454DDE8DF1DB0D628EE59917A766E42475FD17F6EA1E168837F
SHA-512:	A1A20927E1DD4F3F63D8F9D69C23A4C62920C65972B4967BDE5C6FB49EE375B0FD3BC56F57DDB190C267921779A506C42960AA1E9BD7AF979CF6EBB954AD6925
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1049\deflangfe2052\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset1\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fchar

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\portuguese\is-TVUSR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	61749
Entropy (8bit):	5.011791508105758
Encrypted:	false
SSDEEP:	768:qOF2whYDh4GQgJAqxAUZ8ipwQduXyWBa3wEmgcqvNNb+S/5lqmhIFBjMpVWH3WUS:qOQxz3bZkox
MD5:	A8D1D94A08570FD639E456E0AE11642B
SHA1:	8972039BAA818C2D4B5B9BBF51A478A9168FC40A
SHA-256:	10E26C8EFF767CDCF94046DAA5E96BB95A08EF0EA452C9D8FBA19F4048A57E0B
SHA-512:	42CE07188FF4BC3652587A0595CBFA9E585AB93E7C598B3B16BA8C856F8F910B4D533215F41828901C14B9C4614A8491856B98993CC168ABBA99CCAFC406B163
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1046\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt \'cb\'ce\'cc\'e5};}..{\fhimajor\f31502\fbidi \fswiss\fcharse

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-20R07.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	59300
Entropy (8bit):	4.973759890149894
Encrypted:	false
SSDEEP:	768:qqe+2VXLcpErLVYZx1M8j5g5V5V5h5G5P5N5hBcqtqYepAkVZEdvI9TMMf4fPOj/:qqqcshf4fH6IA9h
MD5:	00483C12EB7B2424B5A2C264DBFBAD6F
SHA1:	3038291DC4B40B6C269A24727F175504F09DD532
SHA-256:	BC9B42D7D66A88398A3FFEAB5790818CCB2DF9FA4B24FC8524F86F23930A8ED4
SHA-512:	04B58420762D90E1564AB6635B718FA47CB71795B743CC42FBC7B54B01D6243083C39A99B9A276F9290BC7FC4989AE0970DB35DBDBAAC92E9B80B69FBEC71693
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-2LFM7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42635
Entropy (8bit):	5.046553170453071
Encrypted:	false
SSDEEP:	768:qqXqx1fDCcJJrNgVVhGPNhHwGNjm+epb/Vbc9DuUoU8Gmgflx6Z5zZ/6A9t:qq4e/DIA9t
MD5:	60B7129A13E0CE865F60703FC49D7E1D
SHA1:	96BDB21054BEE9F42FEF53360847FCE57AE3269B
SHA-256:	C68038C41212344C10D0194438D8BF503F3CAB8ED9AEA1B24E91EF989CC14923
SHA-512:	022BCBD14748D9C947F7B93EAC6D38D59F5BD39DFF22E62E16F1C5EC6FEF50BECA4AADE8CFBF745AF7055CEEB91F3DBB7D42117FADBE7149F627262E9654C66C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panos

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-3GKL1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	45355
Entropy (8bit):	5.032998271538751
Encrypted:	false
SSDEEP:	768:qqeXxd/1Ca9DGi3w2EHnT2njX8x3FXbv4CD5klkhuhr7RVRatot7kzkAkqkVk2gJ:qqoC8IA9E
MD5:	37B0C0E48F0AF77161430D5DE894A950
SHA1:	9D27E00A6B141CA123DA1E9E0C7C768CB89910E0
SHA-256:	61FCA2437288DDC4692FE93CCE90C3C72C0ADDBD08C5662F391F6EF694B27256
SHA-512:	AC5463F888305FA6BBAB57CA80570B51249A2719C8A1B116B4EB574EEB2D724718CC676092CEA9241F3B72C2B2D0C63137553A7CE4DD8A871ED46E37D63FFEC1
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-4VT70.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	53477
Entropy (8bit):	4.993468879548167
Encrypted:	false
SSDEEP:	768:q4eDwJeLCdAT2njX8x3l7G5V5V5h5G5P5N58UkbdSLVMVIs2TFDtyZ12TXW++xUu:q4ZVFIA9b
MD5:	E70B7387C930D96F979C15DEF4A0EF82
SHA1:	9885403B2230DB0BC89F6C12A5326C28DD5C0ABB
SHA-256:	2ECA499E76C966798F73BFF750D868951A1F337854402446D060919F2D10CE87
SHA-512:	D37DA2B1EBF5808CBBE89163FDEEBB96E842F5FD3CC4A7523F478CA1433BF1F826F44EB219E397F8A427B4884A1987BF435D19F5C809BD06B1E7600E4FD5980C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-843I7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	54989
Entropy (8bit):	5.004403089561587
Encrypted:	false
SSDEEP:	1536:2aqAse39REjyW0ywGa2eI9Cj+uFECVCjuizCaIizg8zku0+zkuQPChJsCGJ7CdJ+:2B/i+uFEwmuizbIizg8zku0+zkugsGLZ
MD5:	D8DFDDE0D2E5EE7768A3D91D9CD9D014
SHA1:	4C1B8C8205715F8858FA089D887D2A49DC89EC77
SHA-256:	E3409500600560293AC4C89EE3FFB02B854E9CE26926C9C592DB11979288C0BA
SHA-512:	161A64A5B4F8C877661DE001A5293831D351E5294AF76F66441B6DF13AAF5976506ADD1A17F0EAE5126B72F1096AE9A745F1042BD6F9D0AA880F24C726027DF9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-9H8QF.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42713
Entropy (8bit):	5.047774415882159
Encrypted:	false
SSDEEP:	768:qqXqx1fDCcJJrNgVVhGPNhHwGNjm+epbPybO9FO0I0cmG8/FRaZHIZ/6A95:qq4ePXIA95
MD5:	FC56B09D7F10AE95E575F472B2CE9AB8
SHA1:	806D290A16EE633A1D79B8D916FE00D508ECD51D
SHA-256:	75B89487ADE95BD0450DA43B8978AB7E37AD22CAA7DEDCB9D599EEA0EE0E8A04
SHA-512:	7B0948BCE8EE5AC36E7C91D3405F041973B6F9A6D316E64454E9E6A3B2A316CF65C03D1CE7041B9DD5FBEA3F94F175138735336D71CA927FB68D66D92413CC2C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panos

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-CCJL3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43270
Entropy (8bit):	5.005983710564955
Encrypted:	false
SSDEEP:	384:2aFkyWNdW2OTYn/akJOc7jgskl7rVGGH249LYeoYGEovrMoQJhYNgDPsKknWeo7L:2aFk9Oc7cskl/VGGW+2/Z/6A92
MD5:	4AF18EE9439DF76D12E065E6AA400E6F
SHA1:	B9B939259BD0012DDF6A025199CB670F7B3C0CCE
SHA-256:	DF734E3254D106D22C2C57D81E1C8BA28DAB721488DBB48930516B94948A19DF
SHA-512:	80534BA7923F78792211AF00922D7B9E15A4FB25BF1661353BE820690EF3CDED245AC9BC951CF2BC6F48D8B9C5315DDE74DA9FC2CB8BE097ADECC3BE3EA07270
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-D1MR0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	38593
Entropy (8bit):	5.02789644916169
Encrypted:	false
SSDEEP:	768:q4e6xdUjOcPI0QhhiLVpUGXnT9bZhdfGjlrqCHy/RKECA13GPkmZ/6A9S:q4L7UnoIA9S
MD5:	030CBC2FE247F98453B82ABC39C3C966
SHA1:	D5F3102D3878F32C5A5FC7AEE0AF3F63DDB74119
SHA-256:	88E89133FC2542C74552BC4AD65320B01F08ED3A1E5269C008A0236BAF0C0893
SHA-512:	86109DEF32876A40F30B9A4D7D5366BE4FA07D62F3019CC269F3F1A7BD68C2C6597BD2341E0CEAC72951D2B8C66DAEBBE46278ECCAE7CC4D54F32FA9C5B833ED
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-DV9IQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43030
Entropy (8bit):	5.037181036721856
Encrypted:	false
SSDEEP:	768:qqel4jeXCpMF2njX8x3JLjwUtqYepjRBcnjX8x3TRbyqfVHVU3icdXPIZnZ/6A9C:qq3pDIA9C
MD5:	67B098FD7DC727E81D9D9FB9A520E1CE
SHA1:	F6D0526FD0E5F10956988840D866DD2222ABF783
SHA-256:	C3AF56E516BBA805D97730CC1303C32539C72A4E93F598F599EE4DE1756AB0BF
SHA-512:	65718F4601D9636CE73B3B5D2E5EDC62B34DAE818C7450033BEC2221916E8AC81316D6EB3F3690186E3A505F82192A4C1EE34D12606690B3B266A2BEDE2F7DEA
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-GLJLK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	49985
Entropy (8bit):	5.016054674805171
Encrypted:	false
SSDEEP:	768:qqegxdUjOcPI0QhhiLVptabQhOsWxspoudZdRdud9dWlxjRw4L41PcQhiuOdcJpw:qqH7UnexIA9k
MD5:	6817C14DB33376EA13F5135582FEF07A
SHA1:	AC55EF25E5BA0C63319C2B7750AD3FB3B6141D1D
SHA-256:	8E6A77CDCF0EB74491B22151BCC19798620754E7F069D76227F8C2C1E28778B7
SHA-512:	81B3E721842C1F1CA3581AF69CB6495756EECAFD14385C512E5CEDFAF98BBED387D6B9AB27ED76754B17FFDB8B2E5414108702BD6E5B4A8DA27E821D9D7FF3B6
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-HRTEB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	36808
Entropy (8bit):	5.0329736161419865
Encrypted:	false
SSDEEP:	768:q4eM4jXTicPI0QhhiLVFBbRTRYDOuJLrEZLZ/6A9i:q4UyUnVIA9i
MD5:	F9230F9C9FA57AB35625AD7DFD1D21A1
SHA1:	27AAAF7B861E3C1A0D017377E0F59801E143D59C
SHA-256:	85125B0682653CE7A5E9569F8480A87F5A3F1D3978B47A3C1AAD5FE80401D7CB
SHA-512:	A8FB380CD3DB166ECF2174097158B4261020E8AB376A2B6180958BC615CEF3F7CFBC4D4D437ADC454801FC9193E80A94B56C54B4CB2CAF4485043F34B132F99C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-ICKR2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	48785
Entropy (8bit):	5.035435060271824
Encrypted:	false
SSDEEP:	768:qqFy4a4jeDCcJ+Lj5g5V5V5h5G5P5N5hBcqtqYepnRbK3j10C0O0N0e0x0b0o0g4:qqJ9CxIA92
MD5:	DC2C7249084FEEBFE9F1E4FB3491C9EA
SHA1:	B1F39695D01244B8D85F9FE40D24B809759DB0FA
SHA-256:	D5EE096B03118AA2E7032A80EAD45F1C1D180889E5C0D9140F5C7D999698EFBD
SHA-512:	6B83FF30438154C6D58F7BA35FB6D01DA65D3B696340B522653DB3AEAD830DF67CEF61B1729197E24E8A160558418CBF639E5F31D6D2E990527C1920376FCE0B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-IDDAQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	34281
Entropy (8bit):	5.012287301852251
Encrypted:	false
SSDEEP:	384:2aFkTZ0dW2OTYn/akt0LL32En4leo75Y3kpTBLRA6AlEayv:2aFkA0LL32EhZ/6A9O
MD5:	EDED564ACC58819DE344EDCF72FC398B
SHA1:	5BE5194C6D1F83EB91B5ADC4F165BF49EA393FD1
SHA-256:	A036B3EA04F1F8A0C6DF8948FD2ECE8422AF95438DF6FE40AF14D46C457C387A
SHA-512:	3AC8B47B305149067386772E289302033EAB223D1C1B64474268B6DE8BE444377640BCB0F852DA53FBC0B7B17F71EA84AA2CA360F9D6CB938C502B1F689A9B7F
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-IFVRG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	80981
Entropy (8bit):	4.937480918278311
Encrypted:	false
SSDEEP:	768:qqFy4Ix1ELz8lH0RvI9uMT98i3w2EH6mlH0RvI96M0eyOq4e4ewuwPkJUvuuSDG0:qqJC08JePTJfGVIA9b
MD5:	3E44CE0D0BC29875CC2BC6641B12B64D
SHA1:	45800E6EA31EA68F3A2D57AF2D0C449FCE820B6A
SHA-256:	0084E1E5A6B7FAA22CDC67EC2D505653E7C065B07EAA9DA1AD38A896C32D34DA
SHA-512:	9A8A904E2931C741AA18E0761CD686705934CB9F7F59590433DCAAD38B80567A20B64BF6A307F67469F582D93D6037FFD07D8CEC9DE7CFBE562CD6BF49E00F4F
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-JDK1T.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	61781
Entropy (8bit):	4.857520301127485
Encrypted:	false
SSDEEP:	768:2aTIM0LDyaeOsDvEpd1rTmMYm7JRFOtf1SPuJtxLs2coKPvZZ0Z/6A97:2asMQwPIA97
MD5:	78E67BA68FD674E528877B2C4ED0EA13
SHA1:	2393978ADD7BA637E654A9FDB1815BB2D4000BE2
SHA-256:	E023BDA87BC91024BDF8117E2E8FD19628ED0006DF399033A1FDF0A261CD90F8
SHA-512:	D3306182B95C93CB4DDDD7219239F8F927EDD1BF5F3134B89E19637760B8E3F051EBA9ED8EC193CA31D04FDFF2FD75AF6A3F119C357E244DCD7DB151B8061753
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f39\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial CYR;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 0202060305040502

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-K5R35.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	48100
Entropy (8bit):	5.025830167724142
Encrypted:	false
SSDEEP:	768:q4Fknx1eiCUYCmpNM2UrPGsGx7TYlDIUldgOQrrFrf7IPWj2sqiHTLb3ybVaGMbQ:q4giYIA9b
MD5:	89ED020D20DA91E6E1F6AF7A3A4C3ED8
SHA1:	B387B9E8EE99429E41090937A41D60564CA50A5A
SHA-256:	29857E5F65A83CB250D7374A4AAFBCC1159C4318942F5044C9C12534A1962B41
SHA-512:	1CBFA048F043D784062288EC39E5A89F74EF418CE6FBA1C2FFA32555B993C446CAC8ADB63B05D2E60FF3DB65735E55664C954D84AC4F21DDB94542BFE536F6BF
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-LUC8T.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	50965
Entropy (8bit):	4.9704278921640555
Encrypted:	false
SSDEEP:	768:2aFkzOc7cskl/VGGAf+E2aiImsQZ/6A91:2aqz+aGIA91
MD5:	B4BB6B054B4A31DE24E87AC030375781
SHA1:	9DFAB2ACC25BA7B468C695E26B953D3E51987121
SHA-256:	B9AB1C6AC6061D9912ACFDF1499C8F4A22D92F950B27BE87BE7B4E0C631EA193
SHA-512:	39CC26F5008F356B8C30551E4B425BCF180662159A308846CD605A5B82E215C63CF5EAEB7A44996E4C39942DDB47FD30AEAF116B671DEA5073E906355244FE2C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 020206030504050203

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-MBSN0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	50749
Entropy (8bit):	5.025992337478631
Encrypted:	false
SSDEEP:	768:qqFywxd/cCcJ+Lj5g5V5V5h5G5P5N5hBcqtqYepnnbxa10C0O0N0e0x0b0o0g0sq:qq/MlIA9E
MD5:	4091E666BD6CCC6971AE0F510870DB42
SHA1:	E21753F9D29706ECCD6371C10A0CE598C80C64D1
SHA-256:	508DC3EFA99E34F0865225A43C9D2554169D4D9C9D1CE5C1CA4FEB41958DE1B5
SHA-512:	C8FCF769BA2F155F8BAF4A9BF3E5D93377191EE7C02BCF5ED9E8158C10BC82B1AB344B9788D1FE81A73C18B0E2E10F0DD69C2C2400216878FA34EEDAAA824709
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-R9D96.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	48379
Entropy (8bit):	4.996608771533116
Encrypted:	false
SSDEEP:	768:q4e94jXjOcPI0QhhiLV9xB3T7JileOhvbNbZWvsn53NB0DNZGky8OF5x1A58GaQg:q49OUnIIA9p
MD5:	B8EA7A3C55CE02A64BA0AF23B9B85E3E
SHA1:	8DFFB3874BBD2EA54BE1E6D87356126B1E73F290
SHA-256:	792111EFE4C09E3F68D0E2A5344ACC12D63B351BAE5F1654FCC36F2471ED7667
SHA-512:	A8A46F16EC9F8CE3670B171DD90F84F9D1F6CD15FC0428E3DB95ADB4AE302D0A82FF837A9C1DD32EAEEB7D8A58F942DB79461FB5BA36C869CBF4EA7210747007
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-SBRCQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44589
Entropy (8bit):	5.042107887527953
Encrypted:	false
SSDEEP:	768:qqXqx1fDCcJJrNgVVhGPNhHwGNjm+epnBBbq1FkSkek9kukBkrkSkP9MkSI6Ioum:qq4ABXIA9N
MD5:	A408ECED60101314102C175C7FE3E9D7
SHA1:	EBD937ECBFE7FDCC84DF27E7AEED4AC53FAA488A
SHA-256:	2649AAF142678E0D5B5DBEEC454E5D04DD191CE636F6EC5231A7A633C754252C
SHA-512:	B5E5B24DAF9BB0EC263E37AB11B1A66F50C3C4742F3EDB674AEF6FCA8B1F1C566D2F5CF59C9CA95779C9D055CC58B80770B9374EE605D110312F0C6E761E0BA0
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panos

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\russian\is-TQCDM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42126
Entropy (8bit):	5.024542957132508
Encrypted:	false
SSDEEP:	768:q4e94jXjOcPI0QhhiLVtwYMgT+h6asH7UlKBGcg5dEmR7iC//+U1zfymCRwFOcEz:q49OUnwIA92
MD5:	08B4567798ABE579F2D14EA033F94E31
SHA1:	28E3F5CB129DB9B3B33E104773609BF86C8A6861
SHA-256:	2EEB8BAA34230B1D075F9E9C59289BC3B1ACDAB08EF0A181A1FB43F6F3F1BD41
SHA-512:	7F8F5598E931CCCBB0F259AFDF369E7A8FDCBBFE1C222EE8B4D5FF16FE502D4F9BDF54799D3C8420FC5903624DCC7E0412197A067FBA3EF82862ECD491C6F312
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-2TLAM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43957
Entropy (8bit):	5.05318714443273
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmmqAFbMmzigeIgpwgM/tI1m3AG8bq4Tn:VklnIqk4Tn
MD5:	C802BE58C5B4EEE36B30EAE58603CBE5
SHA1:	3F245C80D14B4051CDE661FE373FB7C57020019A
SHA-256:	6D1E5226FE921E8E23C48A0F7C4FC06B815BB0D777C2DE20D6E4EB2A53100023
SHA-512:	402EBEFF45912562F8248CA7018BEEDE532E91F54839AA5AE556590D6F9D9D786E39E9776808C30F050CDC22BEB595A715DF8A2603ED1AF675A2B07665B249FB
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-4L7B7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42355
Entropy (8bit):	5.0527900529716705
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmmV4JAF/WMvgDNHkAwd6Lkygbq4TF:VklnIV4J34TF
MD5:	6E4790A124B7FF2124F2D64A1F5935AE
SHA1:	809C008765ADDE1CFF719DF84F5D1A6972C9D15A
SHA-256:	7BC836689CF9FF9CF09F7E58AF04356C29C44CD67256FF828873AFAE1D9AD78A
SHA-512:	9DA4AFC8A0E1A92A33ED8D33C8C3E6162DC0FCED24BF9A65A69ED92380B10E5B639E6809067E1D8A7F2BCD7300A809CFBA07693AF9A6B425CCDA76CAC53AB38C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-57895.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	36554
Entropy (8bit):	5.033242301326159
Encrypted:	false
SSDEEP:	768:w4FkNxjETicPI0QhhiLVUO9HZYSEWsIZ/6A9V:w4G3UntIA9V
MD5:	60CFC0AB1C3A23B456BDEB0DD8010A83
SHA1:	E2EB5D85ECC146BA756BB812247090D421D8F906
SHA-256:	FB9A493F603C0027F6782538022DA6D82577FC0CE69146E66076EF94440B7D18
SHA-512:	80ABA72B39079A7B4378C0B106CBB0098AE94BEAC586DC34BE10F5CE2D7F0193B20A215F0D98D08A709F934CB1AC05FCE6B15270D3E855F01BD9C814D95AA4AB
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-6RF3U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37942
Entropy (8bit):	5.034259997396652
Encrypted:	false
SSDEEP:	768:VkGN4Jt0TaGC5X2kLuuXprzghApkH9bEJzKv3TFeq4T5:VkHwd4T5
MD5:	A4F051708B7CC7EC3B58CB0A01A56DAA
SHA1:	4C4D011C0EFC5497763698DD21BE21D61553EE51
SHA-256:	E5AC50A87DD55807C9FC5BDF12C6317581F50456A9D99EF92794F5C089748F6E
SHA-512:	EFEF770ED92BB6F5D76AB7613ADF47ADF264CBBBFB741D7514A9424D77055CA01DCD1462DAFA2A8CF9E9FAF36931F78865430FE62F30DC77A9F18E0A28C8EC37
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-93V06.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44885
Entropy (8bit):	5.051249541456295
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmmqoFleTHHqaXD8TfLlCeTxDn4UfvUwNi:VklnIqN4Tm
MD5:	26DF31606E6051A5AB82AFA526964B5B
SHA1:	E567611817B3963033B65E615EE4ABB3FCE7499A
SHA-256:	8B807D3D26611E1DD448B29E0626173AE0C4077974E4BC018358536D48A6F510
SHA-512:	49BF5203F94FDB4136E58F17CFF137DD5685372A135701E22649E1B2661A3F48AD09B2FE6EDBA57AF4DD80C0766934AE2A281F845D32C9D529A3C20A3E9315F6
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-BESPT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43947
Entropy (8bit):	5.053170962954844
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGUxQBkyKWm+m2NjrOX/zJwPzFZ6LUECxfxkSFgc/rcaVbnq4Tf:VklRPc4Tf
MD5:	874129F2A6DD7287BADBF2EBD223923F
SHA1:	A6D84C0AE81F13DE1C8952A8EA3602DC54B99C2E
SHA-256:	C824F8E324B7B859ADCCA1F38437CEE6AA19ECF8FB5C8723C6347DCEA2206128
SHA-512:	236A143EC7C0E1151CAE3B0399884E7498327B2F9E4C03FA65DCDCD9628CEE9BE6DEEC5A7B5312E8CB8B016C4B5BDAADDAEDD49E20F7D75F71AD63D49F85EDA2
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-DABPU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37309
Entropy (8bit):	5.035450399129397
Encrypted:	false
SSDEEP:	768:VkGN4JtOiBkyKWm+XcOl66fSndrdyzotzrcq4Ta:VkHHu4Ta
MD5:	C121D028E5250297A8B932011A8122F9
SHA1:	6E9E2CAE5D2200213EA2378E2F02E4237F0EA7F1
SHA-256:	8246FF97F5D8EA82D7D9C00EC53309DC207026DD6B406B7B77E873563AB424DF
SHA-512:	F93C9D589271DA049E037F0491E9B34CA1574113F488DDF302370BB1BC4CE55985A27A294B37A50100BEA4C9E209B5C6D8020843BD404B571B99E112E6F1CB3D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-E57KV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	55781
Entropy (8bit):	4.974374262253835
Encrypted:	false
SSDEEP:	768:wqFkd4JQJHT2njX8x3TLjwUtqYepAkVZEdvI9DhL02GZLu5UZcHXqjHZCNVsMQgB:wqdThL0kIIA9Y
MD5:	0BF8EF2B17B829705BB1D37632503C1F
SHA1:	5E969D18969120A577205E785D8641CAD1037AA5
SHA-256:	665B118FF5A8EA42EC98EB73371D9F28DAA619617F014E4C6FB9F4281521D391
SHA-512:	6FA8B101F982EC8CB3987057591C90300C0C158A74D4DBCEFF179E994E9A560C5EF0F130314639B751B01501465B4D55C8DA68F95FF1F9E97174B3A8CF264AB3
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 0

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-E63KA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	45797
Entropy (8bit):	5.048112106920449
Encrypted:	false
SSDEEP:	768:Vk1q34J9zZenGLQ4oaqVYmSSlSQ4KxTmms0Fzyf/8Ze52zxn1yIATqQfIUj1gCK/:VklnIsM4T4
MD5:	B282950E706D40B97814A1BE2F1513FE
SHA1:	82318E2310302B88264AF88800CB5A6762446C20
SHA-256:	C93DEB9DF3F1878F380EC3C9348E22E07A5A38CC005D180FFAE3EF7C663BA567
SHA-512:	0A5128EE9895BDB59F247B49B105E990675E27A9F93F006E88500CEBE5084722DD4D1CC74CDC31AC65AAAE0962D4FA2F1EDB96C26AA4CBE733054B35D047C49B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-FIBME.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	41999
Entropy (8bit):	5.055697465978919
Encrypted:	false
SSDEEP:	768:VkmzS4JUAauTJcOerjj1oKauIKx49kWYcFBxBMdk+tkakaLMvIghQq4TP:Vku11S7u4TP
MD5:	38D9C60C2583CC6714A0F317F3FD24AD
SHA1:	06F40D2DD9A933E7073FD6B57475B879582B99D2
SHA-256:	4825CB084B4CBE44982E0B965CCE2025C23D43CC3DDB6B4389F811C07A5EE872
SHA-512:	C2397F026AF1AEFBE283F59D8188CB17C4BB43F6F228FFBF07A167DFC636D6D7504FC1BF69F53451C361FCD02646B9E96C2A6BE0FD3B12A58B9E42D8A729FB4D
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f39\fbidi \fswiss\fcharset0\fprq2 Arial CYR;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f3150

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-H0HQE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	44680
Entropy (8bit):	5.0440980385984355
Encrypted:	false
SSDEEP:	768:Vk13ixj20TaGC5X2kEDYd/awBGkRYoGPLo9C4Yhn8uw8h33SSnHDlM85baNRWmgA:VkGt4T3
MD5:	8F7F1A8853F08FDC85B12A89E08CF432
SHA1:	D2F7DCC9250548EA79E9AB2148E232B183527D2D
SHA-256:	519A67854D21C49B501187DC6DE66AB09C403ABE68F5E3F20ECEAFD24FD92A51
SHA-512:	871B3634AB86A66E58424D45984EF0EA8973220D3A17F58B4CD399807045E5A6C72505F82E40A2789BBCF62C219E1EBBFD109DB29A0ECD3433AD04A47434A48A
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-K01F3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	45050
Entropy (8bit):	5.040256574487364
Encrypted:	false
SSDEEP:	768:VkGN4JtHiBkyKWm+m2NjrOX/zJnKujtCUcFsWjeQ2CzLZ7RntKuG5QZ2y3OE50sq:VkNk4TF
MD5:	94F6C834BB72118F52C6E4AFA65342BF
SHA1:	5066CA137EA8AE0F1CFDB50D364C0A85BF31B98D
SHA-256:	E950C0B4282DDB4BBBCA54BB72CB789B117690E1EFA15D7BE6C59BE5D77A65EA
SHA-512:	80147E578792B71F77E06659978C233E4BE7AB1352B056DEC3BCA74A0E5F5A6386983B5935467BDDA4DDF34CD64304843903A85DAC3C813DCF49457810E670E2
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-KSVRG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	78220
Entropy (8bit):	4.998804403921912
Encrypted:	false
SSDEEP:	1536:w4NORVKcNG59+ppOBpvKeGpWONtetjIC1uCLCCiOBG/60Oc5IRcofyW26IA9w:w2GVFU59+/O3vKeO+5G
MD5:	284D049932C02AFE360E12F1ACBBEB89
SHA1:	F5D588FE773BF163D5FE123B38FCAF70AF53F786
SHA-256:	9AD1BA3EF54FEA19A88AAABBAF13DBD8C798DA68B989F4E321594E54A5DB2AF6
SHA-512:	AF4E3F43E6A258E8E45A2983A2DC1CE29190163B2DCDE25DC4AB3BFF4F1FC6E07E14BB4023FC5A7F7C008463BD1F8D7ADCB12D1FDAFD6503B41E94D2E98D74F8
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Time

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-LDH1F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	68377
Entropy (8bit):	4.979750507121544
Encrypted:	false
SSDEEP:	768:wqFy+8xrUJHT2njX8x3TLjwUtqYepAkVZEdvI9vTlQGY7Ad4m11j8yO61x3ftQd3:wqbuRTljIA9o
MD5:	64075CCDE1DCCB8ECFE54F35332A835F
SHA1:	A03810E438314EC637CE3CA8C864B8A91CC0C61E
SHA-256:	FAF7DBAA3E6BAC1513CEBC7046DAF26ED2B66311A2E59B28212E2DA47D1BE618
SHA-512:	CED1B296AB335DACE16E8CB1AD2029A29BF393D5C2C35786559FC46B31BFE9122FA67D59D1D3EBBA0F035ACF34397820B0A76FA81E425AD26E83993276874802
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604030504040204}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Tim

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-NA22Q.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42973
Entropy (8bit):	5.043020142659255
Encrypted:	false
SSDEEP:	768:wqFkwxjeVGh+DoLLXI1nhDGi3w2EHlT2njX8x3DkF8zHtrWM+cimZ/6A9r:wqR3tIA9r
MD5:	286021A4AA9BD225FA7A87089380213E
SHA1:	DA805EA3171A5FFF8357CD89F798D576D0B27E70
SHA-256:	C447B4CA501DAB11FCDFF381BABF34C63BE48B0DADBC538D2C5F1CD07F4D7BCF
SHA-512:	F4A21476EE1870D47162C29625D966D37C16B3F40EE30F54E68A8F81BAC74DEE3FD5C7489DC5F883745DB98E7BCB69B80DB00A664A3330FB0AB1DEF3AA9F7F56
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\\panose 0

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-PEOQU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	54358
Entropy (8bit):	5.030949914338969
Encrypted:	false
SSDEEP:	768:Vk13TxjelQcX09coHJreOYSN4UIRopZMggLBbWm6CgqMPYZtYJxewPO1nS3jcL9A:VkLjoVq4TC
MD5:	72F2281B43D886812D0AB9227F12438E
SHA1:	9FA51047B63B8C6771351030059CA120DB60FCDA
SHA-256:	A1D007010FAB6C2E57A687E45B26AC54BCCDCB91D4310C0BD7ECD0C478AFF63A
SHA-512:	78FF6C728C82E2790C1D43759EDC5ECF4A883B6034246E4CC40A4526254E7CCBC766225B51A6ED22AD3B6EC96A2411F47922549146C7D621C68F9C8BCBB22226
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang3082\deflangfe3082\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\spanish\is-RFSPA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	38095
Entropy (8bit):	5.023434979525739
Encrypted:	false
SSDEEP:	384:qY6g3X45Y8qb7PzybdKkjYeQZBzyKIl6ZIi6rGsoUwEAG2DaGZ:qhg3feQZ5yKIl2U4Z
MD5:	BF8EAEFA279A7B4973C0AEA344342EEA
SHA1:	FC9B1F4747B94663D9BE6A446F8C186D981321F0
SHA-256:	05D8BABE44F84B4DD6022B8D236C2BF93917E8E38C14F3B700186B8C3C1209C0
SHA-512:	DDB4F723299CB3F50206830FD9809198923FAE710CE314A22558C26D235B85E1BAC6562C8A17C723857734DB0432158FC22450FE43AB3A0FFF5704D8CA885175
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang3082\deflangfe3082\themelang3082\themelangfe0\themelangcs0{\fonttbl{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fh

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-0DVR3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	66624
Entropy (8bit):	5.059280595618483
Encrypted:	false
SSDEEP:	768:ZFRfhqedVWGV79ka9aTwjjJ6jNxLUsQZZ6jNcLUsQZZ6jNdLUsQZZ6jNZLUsQZZB:ZJw+PLTJYsdhYX
MD5:	6D34D466F1C68F15A6CC32AAE4E3E2D1
SHA1:	3F4DCE2646758CEF37887EBE9772970420FF6C2E
SHA-256:	92A2850CEC25C5578A53179E385BA1C32C3F41AAAEF0EC653FCCA133DA2DB5A7
SHA-512:	B67C4678925D41CAAC364BF4C75F1F407AEC91915121EA6BE3AF0794C63001330BC775F06BFB1E9F49B42494AA856A6C0D66D6114D9D0CA9F0B53DABF77A9E8E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbminor

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-3A2SL.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42048
Entropy (8bit):	5.112920780203348
Encrypted:	false
SSDEEP:	768:TLyrsEue7ccoHUVQtqpBMV8SLpmo+6Xl5m/z3OgwXG6Ie:THEr3OgwXG6Ie
MD5:	FEC5348E8803947C2A90184FABCDCF6B
SHA1:	2D43C953E0DF8C80BAE2FE19792A1A0E1CDD33A5
SHA-256:	EB1C7F1EA6A62EC39DE6528B68F112EDB8E137106627A706DAC5F5E73EF4B785
SHA-512:	435FD2FCB064017FB68BEE751B1DCABB134867B8E27312D25589B10C87EDC68D74F52EDE56039A1E0395CEF9568DC72AA223B9EAAFA3AF09A079F9AB1C29A4D8
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset162\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}{\f41\fbidi \fswiss\fcharset162\fprq2 Arial CYR;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbi

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-44D1L.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	45800
Entropy (8bit):	5.097060523282222
Encrypted:	false
SSDEEP:	768:0LMrb5Ke8ctMRcPMRC90OmDcPMRC90Okj+yXpcrb+/z3OgwXG6IN:085ERZau3OgwXG6IN
MD5:	BF226FC63E045046722D8F7D54D3CD48
SHA1:	6134D8D56E0E9FADBCB931CD091513E69A766D33
SHA-256:	1BC9F58D4EC025B08FF100A71397F11FDE77AFF49271545A7C91ABCECB95BD39
SHA-512:	EAA01E5017FE5E9EB5C383C708F0229AFFE70E465D7460BDA475117BD56B12DC52669D59DFEADD28EB8B82696ECB48BF8F0F6BF13422D733FBD98EDD54E7A10B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset162\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbminor

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-4QOBN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	41746
Entropy (8bit):	5.1082830705303195
Encrypted:	false
SSDEEP:	768:TLmrs4sAvnoBVFroAWBmho4cnTseRnomp/z3OgwXG6Ik:TL433OgwXG6Ik
MD5:	66827CCAAE125825B1E69A77C2F3C184
SHA1:	AF5BE3BBE593D4327EA77157EE4780A185C50710
SHA-256:	6444F8ADA3675836844F7320C0F588572EE3D7C890A4DD5E8132CB17DC7FCBAA
SHA-512:	526058E0E367398C4E3295DA8B0F07118A1DF628DE4CBEDE276516E1FB045A33B2757768AE3713833F24A23E49667BC33BA43679844B0E68A9843CE390416984
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset162\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}{\f39\fbidi \fswiss\fcharset162\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Ro

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-5NGRG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	50542
Entropy (8bit):	5.082123818083202
Encrypted:	false
SSDEEP:	768:0LMrbAKeJcmz0s4ieSRukoMV8SLpmo8uSYSyWBKnObct3/nf4qY3BtHn+/z3Ogwa:08A7YM3OgwXG6I5
MD5:	8375A1338E343C284BB1EA8461B16EF5
SHA1:	5329FB0F5AFB566177F45FE49A7FF0411571CB6C
SHA-256:	6024A7AA29911E5D8670FC1028749D736D95115AA89E07DC00C823E68101B032
SHA-512:	98D1213836A17D44072B11488BF9FB5DF408A3B7E1D0EED7CAE13C3C6DDEF09EE52C613C20C7277410BAFD57644A88B4EF9286B9BB5D31C79DB6E9D30F4317AF
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset162\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbminor

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-5VA4O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	41048
Entropy (8bit):	5.100342903202798
Encrypted:	false
SSDEEP:	768:XFRfQuekVh+DiDhZ6jN3muIV3brtEeLUsQZZ6jNS23FmsZo7I1Jj:XYz0CyH1V
MD5:	830A25F0F0DD4201CEDCE5A71290F52B
SHA1:	7E8035CB05D3883857F729AD02FC772425DE859E
SHA-256:	02A019309A83F3E82D5231C7E1861F7A54FFDF8C55C0357DC8335E56D89A8806
SHA-512:	5F25190BE2A3C305113595C9517DC4CBDB7D6D6DE35B514C1E6F15AEC3BEDA831F6A600D5876262D93B93A40245A1599D0BFA5CAA37F94937C30E6B4ECB52EF5
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 020f030202

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-6C3QT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43564
Entropy (8bit):	5.107218209627063
Encrypted:	false
SSDEEP:	768:TLmrs4sAvnoBVFroAWBmho4cnTseRNoUCXap/z3OgwXG6Iu:TL4f3OgwXG6Iu
MD5:	1D227690D1B4A573597374FEDFC0E5A9
SHA1:	73BD11FEBB9219AD6FA0273AFF4B7440E594C3AA
SHA-256:	D795CFADCCA7514424BD9A335CB14C4AB410225B7A2628982BC9A33851E4DB3C
SHA-512:	BD589D52D6F12E9A02814C67DC52EBECC1EECBB3A686BBED7A25C9F65A8A1A7D5BF331DF61933CD0A4A383A80366867AA2890F371174F77FF4E4B153DD20ED17
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset162\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}{\f39\fbidi \fswiss\fcharset162\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Ro

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-9IS5P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42485
Entropy (8bit):	5.10644966338614
Encrypted:	false
SSDEEP:	768:TLmrs4sAvnoBVFroAWBmho4cnTseR6NnE0/z3OgwXG6Iq:TL423OgwXG6Iq
MD5:	2F22B5B2B29308EFA8F83A2A7756F134
SHA1:	5AA36D0592B3A10518F28AFA7C65D338FD29B64E
SHA-256:	F19658BABB054B874513345E81C3F3294FABF41C2F1A35B245510E307F782A5C
SHA-512:	34902F5B360C5DA92E49B7C22D18250D504CF3186F229FADE902AFE617B3B13D47D0E8CB11B2423F8A1DA487B1140D96DCCB22613EE16D3ACB9BFB5DD72F1071
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset162\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}{\f39\fbidi \fswiss\fcharset162\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Ro

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-BIBGE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	35217
Entropy (8bit):	5.100503141917066
Encrypted:	false
SSDEEP:	384:ZFRfkkIOxdWvXLV2NakmumYjucj+jaUysUredZjFjDfA7Leo75Y3k37pHYfjioJW:ZFRfAumYicq2BlMZB/A7yZo7IJJW
MD5:	1456CC4187B4C904B65403612F948F8D
SHA1:	D8636D6B2B0EDCB47001AD5D107643D66C4A0623
SHA-256:	FE38EEF744F8B1E2D385BDB4487C795BBF4B74E6C4EF2B61201E4276C04F941E
SHA-512:	CA7E563B3552F12DB33F6AAC2946AB7DC1AD83EA1726529A42C06F236AAEB896169FF4AFBC990AFC12473498C07584C3CA18B148F0184FB295C2DACA2482187B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbminor

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-D17T5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	42288
Entropy (8bit):	5.108390882492053
Encrypted:	false
SSDEEP:	768:TLMrUuh04mIYKRXOYIX6tS+zdGA+ElGj/zdUIpeabvJ:T9B3dUIpeabvJ
MD5:	97897027B8B5FE133581EA13A6EE7976
SHA1:	614F116D74418D950D6E6D0989BF7249ED77721B
SHA-256:	4E4734B0CE3DCFBAF08B4EBE18926E6AE6E63A50F0C4CB6D47452EACF9253F2D
SHA-512:	00755B8B03BC8A83B36103E79C7FF62BA50816C4669A8CBBFADC4CD52E31037BE1ECD3CA93EC1A3B5D28363F54E49E3C91F461D6BB7664FA7D7327BEE75B9780
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset162\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset162\fprq2{\\panose 020f030202

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-F2C4I.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37812
Entropy (8bit):	5.098588085153387
Encrypted:	false
SSDEEP:	768:0LMrbpuhyiJXQIfR8+mo2VB/zdUIpeabva:08py5WdUIpeabva
MD5:	32604687CD540ED2D4E66FEE8FB4A125
SHA1:	29FE76F14A1D21DF0E2AF0DF2C84255E734C020D
SHA-256:	8EAD5B5379FB2F98AFF59D49A2BD8224A93702CACA0DE228A65449A91DFD87DC
SHA-512:	1C1B8F794DDB946B983A3193B5FD7DAC373EEE11CB5BA27FE8B0723B00C230971E6C722EBA5C52CAD1234AF41DD98FCFD0AAFBE1F44F474EFCDD59DCA3BBBC49
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset162\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbminor

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-F3I07.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	37709
Entropy (8bit):	5.097982097595037
Encrypted:	false
SSDEEP:	384:0LMrCVmd0XKvpXnKnfmuh4jc0IXjFkjWrjfjOjWj3Q1/i6rGsqFwhR/MizFZKeBt:0LMrHuh4puRkAzKqLQ1l/zdUIpeabvr
MD5:	B6940DC6E8FD337224A965573CCC6C96
SHA1:	07F590E24341EA99AD71840F0ACE09FE7BDFD3D3
SHA-256:	D6B44A01370E7516DE60CB797FB79D01BFD0A1734FA8EF227B7537A7676C29AE
SHA-512:	CD3BC33236797086019006FFB4CFE5DDD3F796A1966A008832DDE0EC10DB6082D3ACAA2EFE5487EC419B89BA9A39B2B96309C639A4F3EA0F22FD505F4417A9D5
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset162\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbminor

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-GIECV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	45843
Entropy (8bit):	5.099884587726615
Encrypted:	false
SSDEEP:	768:XFRfvKmGHTwjjJ6jNBmuIV3brtE/TnFkUpv0jxZGcAK0njUZXZo7IJJY:XHCMHJ2
MD5:	FE6B9C7CF4F0B6627DEB585E904CDBEB
SHA1:	552B91CE134693F121234EB5E3CA538C60449B7A
SHA-256:	74FDB6A5CAB4DAF2D175C831124D75631EBD1247BF1C09F43BA8CDA3B4241B56
SHA-512:	ABE4C5B9A2B1F074A4D9A470AE2173282DFCDE63382CCC7311DF3822698CDB4A7F02B98D85AAF3DFFBC0E97F734E026D5F97438858AB5BC76821F4CD8D2D22E5
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 020f030202

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-QG4I7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43496
Entropy (8bit):	5.1077571102439245
Encrypted:	false
SSDEEP:	768:TLmrs4sAvnoBVFroAWBmho4cnTseRIMXyTsx/z3OgwXG6I2:TL4P3OgwXG6I2
MD5:	FDD5D42614DC8C5255D6808F5FB9E756
SHA1:	462F1BE33F4DE680C46F27A2732136F2A96EFB29
SHA-256:	1615765F4CC8649F16975820F90F5FA6117F28CD97771021C8C8449B169B6DF7
SHA-512:	46CD50DDBE274A62EC6E9D8650A71C16D4B213E56700CDB5FDE6BB880CC2096BD21934BADD8B27076313E9F57DAE468F431674B7D55D65C59C4B0DEA6922307B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset162\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}{\f39\fbidi \fswiss\fcharset162\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Ro

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-SJQGD.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	41095
Entropy (8bit):	5.105004070141461
Encrypted:	false
SSDEEP:	768:0LMrbpuh4puRkAzKqCV9mdecy46Xo/zdUIpeabve:08pxnmdq46IdUIpeabve
MD5:	90E7A977D4DF30B041F323B8039EC7CF
SHA1:	792587C64C654021CEBEC446E6DDB08A49D1B2DA
SHA-256:	F7E70A032DFF7371ADB12C85526C4A5F75F8B4C381EAC028873B8DB8AC0F77B3
SHA-512:	E35BB3A910EB4D5CB2249E3833A02C41153EB88B02C5FC949B4FFE7C0F6CF436F2BEB977670FF1155F89774C2499C15453A468D3A094DF6370C02C0954E291A1
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0302020204030204}Calibri Light;}{\fbimajor\f31503\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset162\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbminor

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-T760N.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	56344
Entropy (8bit):	5.080914742415937
Encrypted:	false
SSDEEP:	768:XFRf9q5GHTwjjJ6jNBmuIV3brtE/TnFkUpvM5TRx5U4hU8Ks2Psny7GsDtj8pq1O:XV/w5TbofFHJC
MD5:	021A32D0F2C2B20D1C8045C0018ECB14
SHA1:	AA66A0EF24303233B668EFC6B3CE2CBA8B89AA7E
SHA-256:	DD3625B3E658C17DAD67E9F58175B89691412A3C2463625A14CE18E21ADD84B0
SHA-512:	79AFA71AA7F8FF784717671AAB111A78154BC946D17B743DF3196E64E21C2BCC42977BA6FFC8826708270AE57B366E5A446D49F4A175B4A39AAE76987F0669CE
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset204\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset204\fprq2{\\panose 020f030202

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lng\turkish\is-T89BV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	43858
Entropy (8bit):	5.1066210164319585
Encrypted:	false
SSDEEP:	768:TLmrs4sw9FmdVFroAWBmho4cnTseR4Jv6YfpgC/z3OgwXG6I7:TL4w3OgwXG6I7
MD5:	47A87D6CE96B1DCA2C609A778373485D
SHA1:	15823BE17A06C6C57EBAF6D0E55F56EBF0EFE98F
SHA-256:	9276B70DE54E2675E72A84AE277563D4518A0DC56565379378A7CC3B10488697
SHA-512:	D717567ED8C4A25270312E31F2481241A9B164B8A04D19C68A1BF3F9BD8890F99C3A0F4A76AFD6A4A24208F1BE16D9F10FCEEB36099828FCD3F35AC8E92C498E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1254\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1055\deflangfe1055\themelang1055\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset162\fprq2{\\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset162\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset162\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset162\fprq2{\\panose 020f0502020204030204}Calibri;}{\f39\fbidi \fswiss\fcharset162\fprq2{\\panose 00000000000000000000}Tahoma;}..{\flomajor\f31500\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset162\fprq2{\\panose 02020603050405020304}Times New Ro

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-2ECPB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	61361
Entropy (8bit):	7.974577216527501
Encrypted:	false
SSDEEP:	1536:hsQScTKMW3NmUWxxSvsA+vvZQnBIuzN1SKvzuQ/S93iiXmNF+O:0c638UWrSvsfve6ux1S5Q/sm3
MD5:	DAC5D65C6B4F0B8483DBDA7EF4EFB3F2
SHA1:	BE01B81E548343D0888E912CDF3EBCE5A613CA85
SHA-256:	FBFCC9AF1DC9076257B3D38BDA525B13E0BA96EAD1DBA4178C5C1AE9DA28169E
SHA-512:	DB98B144AEEB09A3B0480F908DE0ACFA6D5832F8EB48D025048D6D6FFE2E01BFF46D16B3BF5AF5B1E6129E749A01E79968C79429A3493979CAAE519E2E22642E
Malicious:	false
Preview:	........x.....G.-....7.......w.....hv.F....F..x..A..y?.H#..FHB.0...w..M.M{W.].}7..;...d.......?tHeGFF.."NEfT....R.A?...H'-...c................ue.6{.!2.WXJ.(......;..N ......;..N ......;..N ......;..N ......;..N .....w....@~'....w...@~'....w...@~'....w...@~'....w...@~'....w....N ......;..N ......;..N ......;..N ......;..N ......;..N~';....w...@~'....w...@~'....w...@~'.......9.....8..{d..)......8}.Yd.H..>q...C..N.0u:.!...?;y.!.....4...i...DM";D...g..";D...Q.%;D....c..".p...%;D...a..!;D...!#G..".p...#....8}......8....d.H...o.P.C..N.3h0.!.....0...i..{..@v.4.....#;D...n}.>..S].."........[."...m;t$D....w...@~'....w...@~'....w..........Q`~..+!....{.BD...k.^....{..}......}..".....$D......L.(0...2..Q...<x...O.".....CF.$D.....M.{(..].L.:...`.}`..UB.A...>..o[.i1.=........I....6^....B.^...W.....,...;...2Z<x..'.'eI.J.(Q.D..%J.(Q.D..%J.(Q.D..%J.(Q.D..%J.(Q.D..%J.Ke.W.?.Qg.V.>xPf...W.....>....D.h......>m!...........h!.{."%J.....g.n...m.....ujk^a ...W.0....(o...~....

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-367PK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	65863
Entropy (8bit):	7.956619819086428
Encrypted:	false
SSDEEP:	1536:O6yYtz5wY3k3atdbzv0dBtGQKF30k2V7qyEEQq2uUwAqlgQM:O6yYtlxeaktcsJQzvqlgQM
MD5:	81E1F6AF711947DE0DECC68E58C0C293
SHA1:	557A98909549083A962BE781FA01D74979D01DDA
SHA-256:	B1E632717552DEB6BAB0D84839FC698DEA272EC0D1CE4A757BE5246788AB066A
SHA-512:	D2436A2CED9335BA4B4E2D08EB8449FDCDE43135A138A9EF6F73BCB7A98B56BFC0C8FFC29CC4F604B4F782AA0596EFD712F74B035A081ADFBFBCD88C015DACAB
Malicious:	false
Preview:	....?...x..].@.G.~..&j4.cbI.I..W.....b.).h,1F#F.{.FS...6......(`...{/r.{{,Y...=n.x..........w.ofK.Z....oE/..Q.a....7..p... @./.\|.d.....?_N%'..........l...J..O.n.fA..5......:...~g......w.;......~gc.......l.w6.;.......~gc.......l.w6.;......~g......w.;......~gc.......l.w6.;.......~gc.......l.w6.;......~g......w.;....~gc.......l.w6.;.......~gc.......l.w6.;.......~gc......w.;....~gc.......l.w6.;.......~gc.......l.w6.;.......~gc......w.;....~g......l.w6.;.......~gc.......l.w6.;.......~gc........w.;....~wuu...O.f. C..J,....J.......`.>..,.~.d+1&...[.1...J.I...VbL..+l%.~.e+1&...[.1..o..........l%.~..VbL..{l%.~..VbL.. ..cR.?f+1&..S..cR.......=......l%..~../...#.J..........{4[.1....b.J...>c.;w..c.J........W.].V}....Cw..O.8.W....J.J`.hC......t__.....k<...@.f...E.......{...o<.p#........9.uR.9t..JG.[A..Y.A0.2...=b......>...J..l.....?./\]]...+.z...c.....u.#\.A...l. ......6......~...q.x.?..........\|P.qq.-../..lq.-..........;........;..?...]q.+.w..o..#p?&...A.?.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-3H9HJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	47367
Entropy (8bit):	7.962365375624471
Encrypted:	false
SSDEEP:	768:k1CdRYP33ZhH7Dsk+0msPSEBEilsj15FNPj1bgC+UTbhrpyambFRVrn3hh+PX2zg:/uvob0m8EiujFNPREhOhrfqFRV7hMv2k
MD5:	E7B7F860D4178823CB0BF8A87AAED3E8
SHA1:	4F819FE07BD2A290877DAC09158A342F00A2AFE7
SHA-256:	2D042AEB8DB400EB4E3BC283E7546EE93D4ECC6B8BD5DCA0D89819DA517466EF
SHA-512:	105C6F1706497252BDD95CE96621B8B42E10DCFF246AFD302723AAFC99DE2C8F168C366E79E9D1B7F151CF1D755B7D74BBB8AA0152B89B729A0634B7E0240CD9
Malicious:	false
Preview:	........x..y....){<..3......m...-....[R/.n-.V.$.ZZ..#\|%$..."...X..B...`..{...6........w.#&....../b...o..p^w:;.O.sj.:.y..NV.[.o......z~..F......$.........#........Ce\.2.GeV,C.!.2.X...eH.....p......!.2.X.,C.a...c...).!.2d...Y...b.R,C.!.2.X...eH..).!.2d.R,C.eH..Y...b.R,C.!.2.X...eH..).!.2d.R,C.eH..Y...b.R,C.!.2.X...eH..).!.2d.R,C.eH..Y...b.R,C.!.2.X...eH..).!.2..2...Vn-Y.!.b.R,C.!.eH..).!.e.2.X...b...).!.2.X.,C.eH..).a9...c......e.2..)C.b...).!.2.X.,C.eH..).!.r...P...eH9R..G........OeV.e8....p.Y..a..Y..p.....3.......5jhh.h.EeP(8..Q/.."6.....L.E..C....k.].pA..9TF$.!...7j.{...o.;vL...r^R.(2...o.?...\|...o...K/..\.....;.rF(.......bBa..Pp(.Q....?..O..........O>.[.>.tS(......."C...F.....k..Q9..I.w......o....?.I...Q.._..Q.EQ.EQ.......^....Q..g.WG.w..Q.........+.o...6..l......{r.._...&~.....3)..k{)....R.JEo./....T.=..~....k[=....c.qj~l8.xm.G^o..S......9u.K..]9.J.....c...s......L?........4.C+W......S.c.2VN.....^4,l..2..r.Ue,5.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-3POQ7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	74289
Entropy (8bit):	7.983650396991257
Encrypted:	false
SSDEEP:	1536:pyMfdEQ9zaVeRu8IDdsxPBwaUXYPRuFEDNJs9Li9GE7bpgVkSyml:pyMlZNaV2U5s7wLXYIuDNa9e9GE7G6Sh
MD5:	1390E5507BA0EFAE031318614A527C91
SHA1:	1327BD4FC6FFFADA97721375692ACB2E39F4DC95
SHA-256:	8C7BF368852F4FB69975B3841708CF654B0A22D02ED4BC2D95574EE50770694B
SHA-512:	B505E89C3A8C063A852C6654B58AEC996C6649692ED42584C69DE70DDE8F46C448B1A7B00B7465945B4BD2710A565FBD7C6A00556221DDFB5D966CBE3E8C8214
Malicious:	false
Preview:	....)"..x...s.Y............L....?`6v7b_w.n..jSNeUV.r.(.(.%.Q.I.F.=EO....{o...=e.{@HP"...I.'.#T"..'....y...?-......,.O..........[..u~._a..........e... .=!..2R..s.....B7 3I..,..yk.}\~....W.. t.2....4.......y..Bs K...w.o.. 9.......?.=......$'.\....].)\\|.$F..! c!o..[...e..i...RJ...I..g..B.5..lA.....FR~..s...S.}......[7...e..$.l.?A. ..3....o!.!.I....:w....A.o.....A...!d#9w..F....].A...G..$.A....P%.NCB..5.Z....."6..2w.\|g.s.....6o.....~.n.^..G.....K...(%.~...1r.j2,e,.'b..&t.1.. ZV...Y`.mV3.!d#)?!c1w...>Q..dL....P.g..kO>w..E...S.>..n..L..!5S.......%AB....aI...,..OR..[`H.6K..k...2.4`M...$.I3D!......X@.s.k..?w3..Q1S.r.Ic..)F.Z.Hj...S.R.1..~...Go.b..\|.:.... V3....X(I..,..v+..}s....r.fAR..&X)..E..}t........0w.%...m.AR.#A0w.\.s..Y...3.U..d.....F.,...]...`."....,<w.$^. Y.}dH....,....t$.$...9.6.....]..A.G.....a. ..Z.ds7.M...V }..]kR..B.T..t..~. ...H.$s.b./.G."t..7..5.tI<0.AR..o..5.T..- }..].^...$[.u.$s.W........*..5..Z..A..^.L2w.Z.F)C.l.Mo....(.J).d..J.d

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-9778M.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	63924
Entropy (8bit):	7.981383813742454
Encrypted:	false
SSDEEP:	1536:OVuuNRRWZGzeoGBz3c0GaWGCywXfi4kvMG9Or:GuuN/zlgBlpMG9Or
MD5:	84BE9F08F6AC3191FC36CBE1F0C29007
SHA1:	72EB8308E4B5DCB1FACD0AB128E04EBC31FBAEB8
SHA-256:	A3EF2C08C1465BDAA8AAFC8B77A6347BD65CD92EB1738242362F74889CFDA630
SHA-512:	FCD8906E3F6A638185608869960A990F3DA2EE9508674E5FABDA588DF32B39625B5845AC3D975FF8F7E7CD8375CAFE6A7CB6C79C45D8EA9A7850238E95CF09BE
Malicious:	false
Preview:	........x..].@...5y...M.1y)j........a...]zGz..(..."..D.. ..{.5.D.c......n...mvv.].;.....o.w.3...........u/.......H.6......X.\|6.o.T....(++[.tiNNNFFFBBBhX......[.._dXHjB....9.....[.p~cf..D.b6R.h...z.U..@a.3P.h........A..%..Z.??..9)))....~.q1..'g..F.....y.:....m...A3@I.'P.h...:....@y.?P!h....TTT.`..........y.3fOO..0{...h...B.......@s.<........]Z.dIVVV..........;...@ 41.NP.h........A..K..-.5+%9e......?I........@..B."(.t)7779%.. .s..?....<BcE ....../.<........]........>.].\K.=.@ h..>..@j.?P!h.......Y.f........C,........t.@ H.4...T.....i..A..H.eK.Rb..}A.KL.....~...^h.]...;......z@C.$....O>....5..2..-."A.6.+..2.-..=D../.k.f..={..O..>......D...z@C.$.....O<......B..H...u_\|...2..?..S.57.7/9j.$".H......=.....e...A..Ke+..}....t.g.AlRx.......o;".H.P...T..K..0\...<."(.ti......=..b....]......y..D.&..@.p...k.Ca......K.6..{........]...R..O$....J....]z.s.(.?..Ov5.A...=...\.KYaS.....D....$.....D.%".H$]"..-S...@.D$...K.?...?...h.m[.%".....s.(....<u....t

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-MGHN6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	27663
Entropy (8bit):	7.90463581132329
Encrypted:	false
SSDEEP:	768:cMmPZ4Bc3LNhpK28BWmW0l2QbBwgx+9VBo7xXz9YAgx3p8:NmPZsEP9I2wBwrHOxXz61x3a
MD5:	C9A294C557F4CA094C11719AD8D7DEFC
SHA1:	3FEBA4F2A142FCC95C74F6FC0E520C4A369BB5A0
SHA-256:	EB1BE2B4FBA03260128E7EC0F5CDB8F4320E5D21AF40E7DD8EB956429B4AABEE
SHA-512:	1DB4E0649A2C2D8C75641BB9A374FC9B5A8CCD4D9336267D9FD1FA680EEE5DC48993910825303F4CEAD9FB3FD2D1814BAB39A21C1A5F74A7605E6555560B0181
Malicious:	false
Preview:	.....l..x..k...}.7$%J"MI.je.H..D...8........._H..`.....`....@..@..H..q\Zm.....:...&...nRY.6.u..IU\..&.Rv...i]..<..9=}........a.x..........v.{.qF..o.>....Q?.T?....f.d....n........!..Pw.}... ...O.>A.....O.>A... \|....'.. \|....'.....O.>A.....O.>A.. \|....'.. \|...B.....O.>A.....O..'.. \|....'.. \|..>A.....O.>A.....O...'.. \|....'.. \|.O.>A.....O.>A........'.. \|....'.. .O.>A.....O.>A..!\|....'.. \|....'....O.>A.....O.>A... \|....'.. \|....'.....O.>A.....O.>A.. \|....'......c.........$G/%X.$Q>.M...>.'.....\|.O...'.. \|.O..>.'.....\|.X.lB....).I..'\|....'....$..S.\|.P7. 4.n.>..o.u...~6..y..}k../....~....J..,}...g#.q ...HD.....(kq..V..'<....C.?...........8. l.m....z.....P$?.{.......hh......}aH.....=.T.WH.........{....Y~....a.$J~..D....`$"..!]q8......(.q..$.W.j...u..8\|..B.K....."X<qH.Xz.8\|.R.`I~..{nK.K.....-.,..{.#X...o........9.E...O~..Y... \|.By...w.W.[....8\|k1.....j..=.}.._/~...7;[....N.._.uj...KGvW...B..J...f.C.........7....m.-......8.y"7.re!...-.>8_6.wWJ.).ur..!.q.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-P0M7E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	144577
Entropy (8bit):	7.984713151564499
Encrypted:	false
SSDEEP:	3072:MZk6EgfzDfFnHj9A6d5qxvZkr0U26aqBQ5fzFZeKcrjXgtrOG79:M1fzDfFhAE5ykr0R6jBQ5rahgtrx9
MD5:	F7F4FE155A8FF420BCB4710212F0D469
SHA1:	F6A8265AA0504CE12397350A6CEE41F3B799B40D
SHA-256:	0232D8214B2FA4C6E261D72B3FB1E8EB76599F372FD8880AA252F4F494E7A7C1
SHA-512:	2205D714D4410315E4887A6B54306E99D4ED0B591284D20BE1DD451A4657DA039B9877698113E150059587216AE121E2AFDA14D3E74E649DB60B19BC559AB3B7
Malicious:	false
Preview:	.....4..x..}.`.....w...K.$v\|..8..vv.v...[.r.-.eu[..,Y..D.....{...@.h..{!@.F.S.gwI..A...........y3...........,...../..(......w._.....{~L....a&A.G..)@s.........4.h...\..@@s.........4.h...\ ..@s.........4..h..\ ..@s.0=s.\1.........4..h..\ ..@s.........4..h..\ ..@@s.........4.h...\..@@s.........4.h....\ ..@s.........4..h..\ ..@s..........b.D..r..L..N.oR.^.o.....,.9.Y...&.Y...i.&.0U..n.>......Y.N...L.1........`.^.a.....D"F...) .B..Ke..B.N........B!C...) .B.R..n)`....h4..[...b..Z........Cg.J.T#."..a...0.......V.C.S@..h.@...)....Y.pK.S@..f.D...) ...p..n)`...p:..k@.E.....s.r.....0..\....L....\|..b..{{Mf#..-...?:...}f.[.....X."...f..V..4...n..................6K..p.D...C..`.....v...8....)....b5.0. .J..A..0. .M....._.................p.....w...a...>L....`SWW.=.8...&...a]...........................a..nV..S#.....I.p..w...W.......<.{=.....}....?...~......3.(N.fG......\........Ek..........)'...}..D$.I$..T*....X.>>T. "..\|>.(;1... ...C.....iRRR ".`..q.q.=s.0.p"T.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-TR0C7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	93110
Entropy (8bit):	7.980490586282423
Encrypted:	false
SSDEEP:	1536:KSERpvQcTD4m7uJB896GhoGf96pxWrGbZ3Wi0lXONwy/l+U0/F8/HftM6Tg19+Nc:tERpZcmQB89f6sGZWfX8w2+UfXJU
MD5:	C8EF42B94E09A94F677FB1FFED974205
SHA1:	BEE03B2984273D08E17C0351CD8E7B8E640E0CF4
SHA-256:	7794BCAB01CA657C2F908C79EED3AF9EB4B4585ED933DFB24F68B7AC5CEA4C4A
SHA-512:	DE4223558585667D040FDC14647EB0CB9EBE0001EE459E3E97A12C727017131354720BAF5F3CA399E11A17FBD61C65480836FF4F336B506753438FE8B42FDB56
Malicious:	false
Preview:	.....k..x..}.x.....Y.....~..e.~...v..l.yI6N........N...q6..l..E.z.)Q.EI.{'..X$...t.D.XAr..g..`P......w(..w.....=s......w...!.,P...-.g..\|.K.>..1..w...?7~s...6.\|.....F...y}/....4l..K.hF".2.b.h.P.2..C.h.?.d.hX.@H..j.@H..a.j..@.#..a.j.5.@.#..a..5.@.....a..5.@....a.0.5.@....Q...0...F P...0j...F P..D8.6.2?...O..........a..5.@.......;.C.#b].5.a.j..@.#..a.j.5..u...j....~.5.@.#..a..5.@.......j.0.5.@.....0.5..F.....0...F..Q....OP...0...F P...0j...F P...j...F.#P...j..@.#P.aDlh.X..F.....0...F..Q...0...F P...0j...F P..D......a..5.@....a.0.5.@.....0.5..F.....0...F..Q...0.!..+y.....a..5.@....N.s.aD,k..F.....0...F..Q...0..^..`4\|.j...F P...j...F.#P...j...D.}.a.j..@.#..a.j.5..)....F.....0...F..Q.8...j...F P...j..!5...0.5.@.....4\..F.....0...F....O....a..5.@....a.0.5.@.....0.5..F.....0...Fl...P...0..n..B.#P...j......\|.#.....y.[.c....H.....i.....!j...F"._.w....a$.5.D....a.0.5.D...H.0.5.D...H.0.........a$.5.D....a.0.5.D...H.0.5....5.D...G.3A...H.0.....M.Hd..a$2.I.q......V............

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\skins\is-UUF50.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	122200
Entropy (8bit):	7.981243125429923
Encrypted:	false
SSDEEP:	3072:LcJ9eG7nGSn39jEfKuu6Arxa7DcbPDxMeYw0Hu/dxjfjOL:geGnh39jEfKuz4ky1J0MxE
MD5:	13E9A3A7019801450759DB3C1123B986
SHA1:	4C5CD7A1176217FAFBB92B285F5E39C271C2D26F
SHA-256:	3F8FBC9026671A1B94C6AAFD3FCB11CC015A950512883A91B0620CA22739FC31
SHA-512:	AECB72D9DB235476744C0E9A3CD8884231B38243E2B60CC4DAC84503B2D6EE42CD1EBF3A49A231724998E580A8910E0F05A1652A916987EE6E2D860D3C37258F
Malicious:	false
Preview:	....P...x...x\Gz...............z...zg..^.}.f...3.K...hFY#..F..II..)QY..A0.$.@$..s.A.s..@G.._.j4N.n....h4............9..V.\|..O...rc.7....\..U....V}]..#.....J..*..G.!d%..c%....p.\t.A!.....BV.H.....A.AB.. . !.y.y...<.<H.a..t.B..9#...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.a.$...AB.. . !.y.y...<.<H.a.d.$.0.2..B.....!...B.. g...<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.!....<H.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\temp\reg\is-8S9JQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 327 x 57
Category:	dropped
Size (bytes):	7609
Entropy (8bit):	7.838852889190603
Encrypted:	false
SSDEEP:	192:CRjl+OutIyaaHKip9QY5Lg6pWlicYMG5/b:OshLaIFUug6pGzo
MD5:	359D85C48DCA7C9C529A7EC0F4D30DC4
SHA1:	749EE1A5C90299C9360DD3131222CE92584FFCC2
SHA-256:	03BBB9C7C115C8FD5E2FB573B86687AE27672C7F8B970FB9661E5007FC6E42BE
SHA-512:	9494049C968B6BEE93090630086EB4D8129B48E5E6CBA3CF2E7EEF2114948316D0068F859594EA3A464AB2FE99510C1C94EEF786A933114C0CFC630C13435B1D
Malicious:	false
Preview:	GIF89aG.9....Gq.....$...Z...ud.........\|.........,&..........M5.................g.........................yv.....6.............v.72......g.L........C.................T.......m...kg.......eX...X}.k..{................s.......{..........................................n...................C......ZU..................................................`......D@.M........z........F..........\|..a....................i........................s.......UQ...............................4c...................?%....w.#Y.BBB.........000.........fff.....888TTTxxx.ZD..........................d.........................................................................r..*]....Q.....U..~............OM.......................................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\temp\reg\is-LFCVV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 884 x 198
Category:	dropped
Size (bytes):	90361
Entropy (8bit):	7.9769989580983625
Encrypted:	false
SSDEEP:	1536:Zy6BW/LDE6LyfJVEr+jMi2hm9YFrRUv9Ie2eIDtTER:M6eL46LCJVpCsy6IAIRe
MD5:	3475836FCF6BBE603D1E83DD8A3C4765
SHA1:	DD92253B2600C1612FDC657FFB41E4FD66352C6B
SHA-256:	F8E582779693B4DAB740E13721093D9B8EB69DC0FF5CFACB5208C04321BA37F8
SHA-512:	8AE5E48692962A7F8049521F3B3510F1F1B9EF7CAF4A40526D7D6286BBEB647CFA54D88AF9A8E03AD884A42AECBA677E0A229577A394CD228CDF98E0F99506E4
Malicious:	false
Preview:	GIF89at..........u.J................i]OOH..........mQ...K2..C$..............B.p..X...dH....V<........M........%#"...........z.....[&....x8#.........`..............,$.....}}}.._...d0......Hw.hih...L..............xK..q..v.............e(......~......`.z`..........g.;".......t..........Y....r+.....q....xd...........R...........ad\.......WA......a...Y).R......3... .....]CHA6.......n............z ....a<..2.b...................L0....%+...nst]cc......lnk..M..x....QD.....&........Y..;........syu^^X......~..........fnr..e..xL..................U.hV....`..j................D....g..R....^.....<5.vqCCC..84/..2..5../..;.....&....L%.r+...........).....................................................W..V.......v............R......WYW....?%.........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\temp\reg\is-SOD12.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.248529327128576
Encrypted:	false
SSDEEP:	3:N1KJS40dyTKVQXGNErnVernn:Cc40dyTK6XaErVer
MD5:	8F1A40DDD71F7EA45DF0E2FE0BACA597
SHA1:	E64C2983DE93F6566752E01BC0A2A5F3983759F6
SHA-256:	2360EAEBD32653D08F75DB2F1C2AE67F4AE3906D09F94AD4C532BA35951553D1
SHA-512:	C73BE7BE0C52CDAB4BA1E3022D9D1E1E2DBC897E34A4F243A7D8936BB7B4A2F46DF2BD1F6E7CA63F6A80C799E4EAD1EAEE38550683473EBF53FC8E2569112BBF
Malicious:	false
Preview:	http://www.spyrix.com/purchase.php?prg=sfk

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\temp\reg\ru\is-HONMU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 327 x 57
Category:	dropped
Size (bytes):	7829
Entropy (8bit):	7.826687568770807
Encrypted:	false
SSDEEP:	192:ZwZ+70N539DtmJu0clifT2eTb6uRM3Q6q:Z0+QNftOcloTBTtRMHq
MD5:	241545A94AF6185978CFD96B32101E95
SHA1:	75FC98239798D933FD87978D7545964CE0E611D8
SHA-256:	01FD9E13EEF1D14C6C2B4E5EA16E40789FE5423715500C29A7DC58FDF2C1364F
SHA-512:	1A127A5EB9573418B3301A0E498B5335AEE0E99F87C8B4C12B6907476D49D1781264700A692FBE24971D405695AAE9BD5C4F40E95D10A1F26CBB0818A32899E1
Malicious:	false
Preview:	GIF89aG.9...............g.............r...w................m.............$.....Z...ud.........\|..............-(.......M5o...................h.............6{...........yu6.............w.83.........L.....>..d.........U....m...mj.......eYY~.k..{.............................w........c....................!r............p........W.........E.....ZU.......j.................................b.....Qw..D@.N......L.z......F.A...........\|..N......f.............x.........].......UQ.........................................`.....?%.w.#Y....BBB...fff............000...TTT888.....xxx.ZD.....................b.....>j....Iq...................................................@l.......~........Q..U..............4c.........._......OM.................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\temp\reg\ru\is-PH2EM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.248529327128576
Encrypted:	false
SSDEEP:	3:N1KJS40dyTKVQXGNErnVernn:Cc40dyTK6XaErVer
MD5:	8F1A40DDD71F7EA45DF0E2FE0BACA597
SHA1:	E64C2983DE93F6566752E01BC0A2A5F3983759F6
SHA-256:	2360EAEBD32653D08F75DB2F1C2AE67F4AE3906D09F94AD4C532BA35951553D1
SHA-512:	C73BE7BE0C52CDAB4BA1E3022D9D1E1E2DBC897E34A4F243A7D8936BB7B4A2F46DF2BD1F6E7CA63F6A80C799E4EAD1EAEE38550683473EBF53FC8E2569112BBF
Malicious:	false
Preview:	http://www.spyrix.com/purchase.php?prg=sfk

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\temp\reg\ru\is-VFTUT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 884 x 198
Category:	dropped
Size (bytes):	90699
Entropy (8bit):	7.976611505014986
Encrypted:	false
SSDEEP:	1536:TO6fc7nz/3pXEtubO/n9l7STXTQXsxalgH8UsX4UzAY3p18N14e86zebLqDf:BEzzRXEtubO/yTXTlxbrUDcu/8v4e8AH
MD5:	EF79CF8AABBC41E42025D3ACF51B36C9
SHA1:	71940D0E9D230D295D8A89397DF4ED0BA5BD72DA
SHA-256:	24D4AC7D4101A76F35F636660A92AD95E1C068065D17BB4F8CC27CD3C91402F8
SHA-512:	E579BEED091D3A4068AE664640BA0EDCFB309F0C7142CD452B45F79A69B6423A8237D9256C9A0E3FFE4F22EBC1C01D26B2BE79FD7B3E3E9643A1142A997E5902
Malicious:	false
Preview:	GIF89at.......s...............f[.......u..mQ...ONH.L1..C;................C+.qX....X.dH......W>...........M..........'&#.z....[&..x7".......................Y........+#{}}.......^...a.......hih...X..............zL....n..v..........e(........`.za..........j.7 .......m..........y.......u,......q....we.........T.............dd[.......WCi......e..Y*.R...4...!.....\BEC?..........n...............a>..b.Cy.............=CH.}.....M0....%+nst]dc......mpl.O...N..x....E?.....).....[..;.......sxq[^X......}.........c...fmr..~M..................L.k_...._..j.{.................D....f....a.....?(..{.\|{974..5...../..;.....&....L%.r+...........).......................................................................W....v...............R...YYW.......?%.........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	data
Category:	dropped
Size (bytes):	128756
Entropy (8bit):	3.9057385481908176
Encrypted:	false
SSDEEP:	1536:WcYi3SboaIi6SRXBXLZ67bL7Lb7LQnPnbLzLNM7a2zEMwzv0bnA+PTPXXqjzfDH7:Wli3SboaIhSX5
MD5:	AE4523EC7234478701720537B00205EB
SHA1:	736A51DA49F13AEF83901D47F0DAB261163E5A86
SHA-256:	6813F72E59E6B44362B658744F308D49F5057AEB7EE5490FE7163E23F1BBA94E
SHA-512:	081364E9C07E6EC63F080246686CD5A962F30EDFA7F1FA2923769060DD8512174439384B99576A2D1A2DD581181F3668A63E5710AAADDB5BE5434531EB72B18E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................(C.................1.2.3.7.1.6......h.a.r.d.z......C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}................;...,.. .............IFPS....1...]...........................................................................................................................................................BOOLEAN..............TOUTPUTMSGMEMOWIZARDPAGE....TOUTPUTMSGMEMOWIZARDPAGE.........TINPUTQUERYWIZARDPAGE....TINPUTQUERYWIZARDPAGE.........TNEWSTATICTEXT....TNEWSTATICTEXT.............

C:\ProgramData\{972DC8CA-126D-23FD-11AA-92876DD12AFD}\5913A2D6482586A397876746C6020FBE Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	4.593400348604437
Encrypted:	false
SSDEEP:	3:PouVKQzhquIw27n:h4Qzhqfn
MD5:	179EC8DFA22BD8C472285A4F01C3879C
SHA1:	C7F2C43F00D5D69B7C534EF9F7BB4D5EEACDDFA6
SHA-256:	5CA8C7050FF095DB093320A34382CB8859E9BE94795F1A7605B1BE1232D67668
SHA-512:	E0DE299D4E8173857050BFFF6FDDF93CF88471490F072C904124F685124B80AD5AB84B119F55B75281EE3E4E9BA688593842F7BF1A78FE650F41A7FEC2A6888B
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en-US">

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D451E49F-5479-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	38488
Entropy (8bit):	1.898340967005344
Encrypted:	false
SSDEEP:	192:reZZVZE2w9WktCpfMtGbWEMEftMrYzofkrrEg:rabTwUwE4vERItoP
MD5:	03391E01EC02B470A5F3F81E3EE21DC7
SHA1:	3ECD646A6DA340DAD90F21216EBD8C74B3C783B5
SHA-256:	0D185BB891B6C488BA3DB34F6303E876BD8BEFA85D1FAE35027B3044971307DD
SHA-512:	78808966B4D2E47E4C3890CAFB384109E623E24E6CB092EE33F7C825572655BEDE077F2E7429A83F8EC3AEF37F1FD4C2D868760755C197944E55D40D30F30E11
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D451E4A1-5479-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	23664
Entropy (8bit):	1.7758669416412871
Encrypted:	false
SSDEEP:	48:IwnRjGcprROGwpaaRjG4pwXaUG6Xp7yXPYGZphXZQGaqp0XjYGNpUXbGR4pQsXqp:rRZZMQ4Valhy/pDpdaTd6rmsfBs6+L
MD5:	75A68BDCE111550DC32A66AE80820B49
SHA1:	101F0CD741544851B2373003AAA853A46EE5550F
SHA-256:	2325FB5A88D47FE56A69AC20B838928F8CD920E4F6F1002B5BD03F023027D9D1
SHA-512:	F9EE30C0E15B4D7F12D198DD385037165F21084FF602A9C5C1B8F5AF688A06371563666A17E6ED5D269059DBD7F7778737AEF0F020436D2AF9D13FFC12B8F5FF
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D451E4A2-5479-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5850477221536012
Encrypted:	false
SSDEEP:	48:IwcjGcpreGwpaRjG4pQBGrapbSzrGQpKfG7HpRisTGIpX2WGApm:rcZZWQRV6RBSzFAuTi4FJg
MD5:	5F0CCDF8F77DF0E12C79C5518F820A85
SHA1:	5246FA1C3ACAD2B7B081DFD655FB209A4DE730EE
SHA-256:	4738B6C68A53B6CA3D8B09CC12811A71168D8D43B59ECDE4B6B77CBA5194EDA5
SHA-512:	0A0EBA40E73678C8A5D62A2CA89B38D3931DCDA276D542D93645A951ECB3C35D1849D78CA2E1375B3B9FF7576BB4A47C4BF0133BFB6617BBB450C2AAA057D51A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.100146473921719
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEEIdIxCnWimI002EtM3MHdNMNxOEEIdIxCnWimI00ObVbkEtMb:2d6NxO7IdIYSZHKd6NxO7IdIYSZ76b
MD5:	1FA6F54645E96DBE445580AEE2779FF9
SHA1:	3A051FFA9124D3193A37054F4E420024A972765F
SHA-256:	C1DF06A5DEF9FD30A02E5FEDBA380C251E4A2EFF89A223919A32B96353F62082
SHA-512:	5749263E5B41F5F03B97DB9CE3B4DB2310A75E1D76FB3E936ED7C229C19966F33C42DA74DFAF30FAAE56EEC0129650B681C73B2119D089A0208DC07478A2D0C0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xaafb24bc,0x01d6e886</date><accdate>0xaafb24bc,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xaafb24bc,0x01d6e886</date><accdate>0xaafb24bc,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.116306317088864
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kENdNxCnWimI002EtM3MHdNMNxe2kENdNxCnWimI00Obkak6EtMb:2d6NxrbNdNYSZHKd6NxrbNdNYSZ7Aa7b
MD5:	DEFA74CC201A08E289C1F62026A866A0
SHA1:	51345A0E79490C75C0AD4426544ACAD13BCDB720
SHA-256:	ECDB9CB5BD43F8733D6399BDA589676143B313812AC1B354407F112589D53A42
SHA-512:	780667A8DD2268D03E4A936C7E306189223BFC24451EECFAEB9C02246CDB6D65201DA41ADFBB4BFEDE135D4E92547C847CC6E67E4EAECE49E5445457F6A9FBD7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xaaf19b73,0x01d6e886</date><accdate>0xaaf19b73,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xaaf19b73,0x01d6e886</date><accdate>0xaaf19b73,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.118479760211299
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLEIdIxCnWimI002EtM3MHdNMNxvLEIdIxCnWimI00ObmZEtMb:2d6NxvYIdIYSZHKd6NxvYIdIYSZ7mb
MD5:	94EC83DC7856AF9607224637AF47E30A
SHA1:	82FF58170341DF2FD38D6A0E4330A2FE8BF9BA0A
SHA-256:	3317F37BC36C0EAAEC27F22F01741C9080C53541829524787AFF49B8B023C2CC
SHA-512:	1D9FAB5E2415D68C973137F85E845D0D03F9AEF16E67EFA1340DE52AF938FD841C0F4F9FA0708F762F94A73B690CC264AB28F1D9719D78DA82D9CCEB35BC2CF7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xaafb24bc,0x01d6e886</date><accdate>0xaafb24bc,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xaafb24bc,0x01d6e886</date><accdate>0xaafb24bc,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.105825676319661
Encrypted:	false
SSDEEP:	12:TMHdNMNxiEuVduVxCnWimI002EtM3MHdNMNxiEuVduVxCnWimI00Obd5EtMb:2d6NxxydyYSZHKd6NxxydyYSZ7Jjb
MD5:	42BEBCFA1CED2B615859E4EB93BA81FD
SHA1:	B845F70B31A9A50BEF76D478A345433F891F0EA2
SHA-256:	63EBF9038A152B3FCE7A008C882EFB08650F2384592C48168B4B4886F2A6516E
SHA-512:	11131A9DE9ACB577304F89E26CFDE46ABE1DE6E3DC7F60A98391056186CCADB2857EFF24CED7CE14170C505EB231727F7EC7D8FEEADBF9E6C1B52D4AF1FE5243
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xaaf8c257,0x01d6e886</date><accdate>0xaaf8c257,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xaaf8c257,0x01d6e886</date><accdate>0xaaf8c257,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.128914563225983
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwEIdIxCnWimI002EtM3MHdNMNxhGwEIdIxCnWimI00Ob8K075EtMb:2d6NxQ3IdIYSZHKd6NxQ3IdIYSZ7YKa/
MD5:	A053ECC14208D687B2624F1CD94C80B5
SHA1:	96F38FC4C16393F107EC6827A0475294E1690456
SHA-256:	5B87A192559596EA783A65932368B3EE6B2145DE1308306E116452C58C15F157
SHA-512:	D5491457256CE9A1912608A91553D9091E3EF5085842C17B9151A30A23A170388C684B60A27D8CCB694973DCB68939FAC3C13FF4ADD08C277717E65D91DBADE1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xaafb24bc,0x01d6e886</date><accdate>0xaafb24bc,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xaafb24bc,0x01d6e886</date><accdate>0xaafb24bc,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.09327670622617
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nEuVduVxCnWimI002EtM3MHdNMNx0nEuVduVxCnWimI00ObxEtMb:2d6Nx0EydyYSZHKd6Nx0EydyYSZ7nb
MD5:	C1FA89221D590F56DCA0DB7AD35661A0
SHA1:	9FAB7E73B4FD3492CF59BEAEFACF9BBBFFABE658
SHA-256:	05C9C8DA887BFA502433472E648E539ED09DC560862A3CE8A81EDACA6A1D62F1
SHA-512:	95ECC9368FAB9EC47C559CF4575D34F160883C8765FAFFF78E444E23C45ABDA3B4F4B4424C17AC078ADC14CEDB45C0BCCD93BBCF6D601639B65299829AA1007E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xaaf8c257,0x01d6e886</date><accdate>0xaaf8c257,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xaaf8c257,0x01d6e886</date><accdate>0xaaf8c257,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.130548966418625
Encrypted:	false
SSDEEP:	12:TMHdNMNxxEuVduVxCnWimI002EtM3MHdNMNxxEuVduVxCnWimI00Ob6Kq5EtMb:2d6NxOydyYSZHKd6NxOydyYSZ7ob
MD5:	AE93D9A746BB0E3525263C4BAFCD19E3
SHA1:	C3127DF284DFA8D5D52EA1881A3FB1A5D7CDA527
SHA-256:	2FA266D790A9A7D4D11036937E4ACB407262AEADEFE87D9525635DAFD3A90FFD
SHA-512:	3654E93089FF05E0573CE6B1F4AB064BFACF1B0BC235F8557660A4447C3D2ADB4743523FC9B25C6BB949388A1E3E44800678029BF89402813C9B4C139A2188CF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xaaf8c257,0x01d6e886</date><accdate>0xaaf8c257,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xaaf8c257,0x01d6e886</date><accdate>0xaaf8c257,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.095825699307534
Encrypted:	false
SSDEEP:	12:TMHdNMNxcETvpdTvpxCnWimI002EtM3MHdNMNxcETvpdTvpxCnWimI00ObVEtMb:2d6NxTThdThYSZHKd6NxTThdThYSZ7Db
MD5:	86BAC1AEA0997F43B217B12251BD3EBC
SHA1:	EFD3DC25D6CEB21E194D355C23A4598DBE048E93
SHA-256:	3DED0F6B02436F80CA2015CB3EA5F8E581C20A3A371460979DB5FC15EFEC3E58
SHA-512:	8CE1B0D91D1DF063C7BD85F8A9F22E3995742BA570B3DF340D8E9F4D6A62CC482C9AA4454FD0D4ED5FBD12448B9E4A5B8946BBE8B599CE3ACC11A23584F678AF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xaaf6604b,0x01d6e886</date><accdate>0xaaf6604b,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xaaf6604b,0x01d6e886</date><accdate>0xaaf6604b,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.093052867109503
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnETvpdTvpxCnWimI002EtM3MHdNMNxfnETvpduVxCnWimI00Obe5Ety:2d6Nx8ThdThYSZHKd6Nx8ThdyYSZ7ijb
MD5:	83697D1D0E336226E2D513AE1751ED3A
SHA1:	D4AE3086C6265A66228A2D5161E481BC900AC2F4
SHA-256:	4233C0D577AD28F2ACAD9E3EBFF5C826DA2D8CBDA24034ECCAEBF5837F2AD109
SHA-512:	C452941DF91EE461FE4285AAC29F68FA03DB1880657C858151D7E8E47917F41DE11EDF2A96DDCEE74029564D19CD2475EC48E727EC0A0B92B0E87EB9AD8156B7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xaaf6604b,0x01d6e886</date><accdate>0xaaf6604b,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xaaf6604b,0x01d6e886</date><accdate>0xaaf8c257,0x01d6e886</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	3135
Entropy (8bit):	7.740407327536852
Encrypted:	false
SSDEEP:	96:XGAYfTlYH/Bv8dZc/04VYA9n3eWb8Hom3NO:XRYfTe8dZ94VYA9n3esQ13NO
MD5:	259461BE52711FE23BE4E6AB03BBA7D6
SHA1:	CA21AE0D87915B1BB5DF77E0D25A125E6C2B9A82
SHA-256:	CF17A2E63167409AD17945B2610B0E5BAAA7F7BCB7E91EE64CCF37BA7898AE7C
SHA-512:	0A67BD6DC6B1B071E669C3F48D8BB2909A95ACABDCCB85E73F76235A23EC2FF0EC220357037286C2A9D9A23FE8AD3460350E5D7E51F669B184B94E9E84FF05E1
Malicious:	false
Preview:	".h.t.t.p.s.:././.w.w.w...s.p.y.r.i.x...c.o.m./.f.a.v.i.c.o.n...i.c.o......PNG........IHDR.............P3&.....gAMA......a.....pHYs..!7..!7.3X.z....tEXtSoftware.paint.net 4.1.6.N.....SIDATx^..q.F....C....C..NeI....@.@.`......C....n......nw.3..y_.W.jqw...1..w........uY(.e.7.......-.....2.e.<.V....GX....y...Z.pZ.2o.aQ+.Nk[..#,je.im.y.E..8.m.7.......-.....2.e.<.V....GX.........OtN....@.y...Z].O.yG...e....-.y.E..8....0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.x0...O.........?=......+..40..H..sZ..6.........0.A..9..p..\|..\R.~.o...<.i]...U..d.....@nM..;...0..H;....NC.0.x..;...-.....v..P-.....2....C.0.x.R..B...[..<.2.K..6hlW-.....A;...E.....e...-..3[..<0.....W9+..a.'!m.....:[..O.L-..>13.0.8Y...0...".0.8y..-..NT...0...H-..N...0...zma.6..?..GX...Ao-..2o.aQ+.>...07-.....2...a..-.....2.1.}.k.S..#,je.cqmaz...y.E..x\.~.).....z..\|..........y...Z.._..!y.."oG.9g.0e.<..=...,W..].'.Z.2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\flexgrid.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	13584
Entropy (8bit):	4.898737818541816
Encrypted:	false
SSDEEP:	192:mbxqMEVXxALM83TdmbVeoPFNVmwZunron8KqfjFeUQVfJYDUUjvhhkf34TB6E0Vr:V28L3KCXmQ
MD5:	B6304D4B08201DEC643229CC5B8C775D
SHA1:	297183B2DEEBF0E1861F80B25B7692C117E3F33E
SHA-256:	CAA3D9A6087F24BB3FDC9B65210543BECC1F3381C3A34EADC67BFD754A514FB4
SHA-512:	C053B0537894883FEF33F5CC5DDF3FCD85DEB4A72ACDDCEDD9DF9D535CF53683EBB99BC440AF5DC942718F16FF5A9AFB18D48F92DD5126CEA86329A312ECA2E0
Malicious:	false
IE Cache URL:	https://www.spyrix.com/css/libs/flexgrid.min.css
Preview:	.row{box-sizing:border-box;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-flex:0;-ms-flex:0 1 auto;flex:0 1 auto;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row;-ms-flex-wrap:wrap;flex-wrap:wrap;margin-right:-.5rem;margin-left:-.5rem}.col{-webkit-box-orient:horizontal;-webkit-box-direction:normal;-ms-flex-direction:row;flex-direction:row}.row.reverse{-webkit-box-orient:horizontal;-webkit-box-direction:reverse;-ms-flex-direction:row-reverse;flex-direction:row-reverse}.col.reverse{-webkit-box-orient:vertical;-webkit-box-direction:reverse;-ms-flex-direction:column-reverse;flex-direction:column-reverse}.col-xs,.col-xs-1,.col-xs-10,.col-xs-11,.col-xs-12,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-offset-0,.col-xs-offset-1,.col-xs-offset-10,.col-xs-offset-11,.col-xs-offset-12,.col-xs-offset-2,.col-xs-offset-3,.col-xs-offset-4,.col-xs-offset-5,.col-xs-offset-6,.col-xs-offset-7,.c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\js[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	98730
Entropy (8bit):	5.514489987842766
Encrypted:	false
SSDEEP:	3072:JB4bXR7peBY0D2JqUgumBlTjw/UTYBpN+:PmicQGBj+
MD5:	EFDD299816F3E6CEFC7E4FFDD2E58FE4
SHA1:	6EA61121BAF3609ED30704652EF92561ABF5240B
SHA-256:	8366B8CBBAEA49EFB5A3BF67CA8C4913957794CA5B3252BA59727A963F2B85A4
SHA-512:	FC07CA4069C22908BDF7A455A68E5FCD31D3D21B21993000564391D7D0C675334DBDE06570DA5AA5ECE4981D8F5CB3B091BCF4BF0B9E151F5B5EBC0937861517
Malicious:	false
IE Cache URL:	https://www.googletagmanager.com/gtag/js?id=UA-30397195-1
Preview:	.// Copyright 2012 Google Inc. All rights reserved..(function(){..var data = {."resource": {. "version":"1",. . "macros":[{. "function":"__e". },{. "function":"__cid". }],. "tags":[{. "function":"__rep",. "once_per_event":true,. "vtp_containerId":["macro",1],. "tag_id":1. }],. "predicates":[{. "function":"_eq",. "arg0":["macro",0],. "arg1":"gtm.js". }],. "rules":[. [["if",0],["add",0]]].},."runtime":[].....};./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var ba,ca=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}},da=function(a){var b="undefined"!=typeof Symbol&&Symbol.iterator&&a[Symbol.iterator];return b?b.call(a):{next:ca(a)}},ea="function"==typeof Object.create?Object.create:function(a){var b=function(){};b.prototype=a;return new b},ha;.if("function"==typeof Object.setPrototypeOf)ha=Object.setPrototypeOf;else{var ia;a:{var ja={wg:!0},la={};

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\lazysizes.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	7235
Entropy (8bit):	5.421538212995168
Encrypted:	false
SSDEEP:	192:1O4602wGWi72hBQa0cDTrTx46C4gq4q4oFPHK818owTZ6RtR:1O460o72hVDnTxcdq4q4oFPHKI8VTIRj
MD5:	0812D0F17B90A4AEFD97BB91085AD252
SHA1:	B8D4D9CBFEB488D2FD61004FECBACA5DDF5AE932
SHA-256:	876B4C12685E991D88378C1B6DD3638FD2DA0C88F3C24DA1ADA950C1F26604E1
SHA-512:	B9A6842A800F5447BD8F5B22E0413C86390D6070457E45EAC342FD5F159FB98A9CC0D2F69BC321DF28D67C2074CE27D0CBE568C1EBAA2E15E8F9D808E56AE126
Malicious:	false
IE Cache URL:	https://www.spyrix.com/js/libs/lazysizes.min.js
Preview:	/! lazysizes - v5.2.0 /.!function(a,b){var c=b(a,a.document,Date);a.lazySizes=c,"object"==typeof module&&module.exports&&(module.exports=c)}("undefined"!=typeof window?window:{},function(a,b,c){"use strict";var d,e;if(function(){var b,c={lazyClass:"lazyload",loadedClass:"lazyloaded",loadingClass:"lazyloading",preloadClass:"lazypreload",errorClass:"lazyerror",autosizesClass:"lazyautosizes",srcAttr:"data-src",srcsetAttr:"data-srcset",sizesAttr:"data-sizes",minSize:40,customMedia:{},init:!0,expFactor:1.5,hFac:.8,loadMode:2,loadHidden:!0,ricTimeout:0,throttleDelay:125};e=a.lazySizesConfig\|\|a.lazysizesConfig\|\|{};for(b in c)b in e\|\|(e[b]=c[b])}(),!b\|\|!b.getElementsByClassName)return{init:function(){},cfg:e,noSupport:!0};var f=b.documentElement,g=a.HTMLPictureElement,h="addEventListener",i="getAttribute",j=a[h].bind(a),k=a.setTimeout,l=a.requestAnimationFrame\|\|k,m=a.requestIdleCallback,n=/^picture$/i,o=["load","error","lazyincluded","_lazyloaded"],p={},q=Array.prototype.forEach,r=function(a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\logo[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 379 x 117, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	3666
Entropy (8bit):	7.856784925017142
Encrypted:	false
SSDEEP:	96:cgPy0PP4ZhVpO2NJWRGe3w+Dqk6Bkm1JDeySA5fG:7PjgZ9O2NfedDqkm3MAk
MD5:	D05BF38453284ABFFF1F32A4A107BB26
SHA1:	7822E21B28177CF9737A306245F273F2077C0956
SHA-256:	ADED86634388B64F99484E2184B226587E9FED76CD763C158FE9474BAD3C7D98
SHA-512:	98659EB10570DBB863602645B223F28DF2458261064B63F0EB237FBC8AF5AEA754079BE4136C14473EFBA18083B86A1CB55F308439D4561FA75517C0AC920673
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/logo.png
Preview:	.PNG........IHDR...{...u.............gAMA......a.....sRGB.........PLTEGpLcmu......bmuclt.........d..bmud.....b}.d..d.....blt...dksd..d..cmu......cmud.....cksd.....cksclucmud..............bmucmtcju......bmucmud..d..d..e.....d..cmu.kG&...2tRNS.....?.@.._. ..@.._ ]....f..o.o../.P..O0...o.0..'.....IDATx..i.....Q...mqBW/[.........v..2TFp.Y7..w.!<..U..Z..jo.i.f.....ao.....ao.....ao.....a_...S......;.......ao...}...i...a.7..s{r.....Vm..S.)o..7/;(.xj...7lK(.......F.y......x...5...w.........s..6..m......^>...L..~....'.K..X.}...Kp1..v..K.>k.@.=:.#..Sy.....f..4{.O.q..=l.<.gw...}.5..k...\.......+.X.%...D.=...c(.$x.........l...@.=...>(%.a#..F......X..z.'.:"bO.m.{...(N.5b..f..4...G]..&h.1C.\K.=.Y..<`..............e...N.tlhF0EX1...E....G..b...^doud.."..>B.C.5..8f.m.......D.=.B..._e_.H.q...L^& .&_u.@.=..a.l.h..!.'~9...4...b..\|O.h9.......x.Q.@/...F.._d.\...N..o...f.1.L.{kuF...>C.....5.=...W`...lb..g.3\..=.h..v..c........~[:.@.}.#-c.......d_....#.?Y..ZU...rgw6..=b.nT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\main.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	62256
Entropy (8bit):	5.041405982399486
Encrypted:	false
SSDEEP:	384:8XTKvzf6CWK9w9vugkK6qkBky3OkMZ8OxcNuv8yUrwGWg/gFgIm/rtkNfbkAFIVt:sKvzfJwEmcWIT
MD5:	AB03700FFF631781783B62BC62244C12
SHA1:	A681C87A60BA9D75E615DB8BD82582ADA35F6C56
SHA-256:	CF7AEAFB1B7CDA9CD13792C7CE2D64D3FDBBFA7421B9F88F36353CCACA55E783
SHA-512:	37E007DC9BA0526A925F328A3A25DCE7DC2198BABCB3224817D27AF2BEC1D54938637538A930C8ED35D1E569A1184D9E51D3D65ACE4B7937A45F28F24B020404
Malicious:	false
IE Cache URL:	https://www.spyrix.com/css/main.min.css
Preview:	@charset "UTF-8";body,html{height:100%;width:100%;font-size:18px}body{font-family:Mull-reg,Arial,sans-serif;-webkit-font-snoothing:antialiased;-moz-osx-font-snoothing:grayscale;color:#000;line-height:1.42;font-size:1rem}ul{margin:0;padding:0}ul li{list-style:none}button{display:-webkit-box;display:-ms-flexbox;display:flex;border:none;background:0 0;cursor:pointer}h1,h2,h3,h4,h5,h6{margin:0;padding:0;font-weight:400}table{border-collapse:collapse;border-spacing:0}*{-webkit-box-sizing:border-box;box-sizing:border-box}a{text-decoration:none;color:#000}@media screen and (max-width:480px){section{margin-top:70px!important}}.wrapper{overflow:hidden;width:100%;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;-ms-flex-direction:column;flex-direction:column;position:relative}.maincontent{height:100%;-webkit-transition:-webkit-transform 1s;transition:-webkit-transform 1s;transition:transform 1s;transition:transform 1s,-webkit-transform

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\script[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	5665
Entropy (8bit):	5.054290819972699
Encrypted:	false
SSDEEP:	96:npiXi+iLUkb7Y8owFyX1WNCIBIiNGIYrvQ9rSMrzSAyNYd6zjV/71N:piXi+iokBxCIBIiNGIYrErSMrz4NNhX
MD5:	23AAA2DE0DD3D5CF35588C07860B52A6
SHA1:	ADC6293E9257D608FC3277723158CB4EB82A7C5C
SHA-256:	344176096D72DEACB141E897B6C9CCA9A772CF8FDF8DA83D09E581904A7DFEC7
SHA-512:	231A75E5D1E6D5D4514C3E245F2232B59FAE8AED0F239E272A7AED37A49E370A3ED1C04DAEEF2D856C9732115F0878C830B074DE6440D6A098CE3A4019C69400
Malicious:	false
IE Cache URL:	https://www.spyrix.com/js/script.js
Preview:	"use strict";..function showMoreFeatures(span, hidden, show) {. span.style.display = "none";. document.getElementById(hidden).style.display = "none";. document.getElementById(show).style.display = "table";.}..window.addEventListener("DOMContentLoaded", function () {. function sleep(ms) {. return new Promise(function (resolve) {. return setTimeout(resolve, ms);. });. } // function doStuff(). // {. // //do some things. // setTimeout(continueExecution, 10000) //wait ten seconds before continuing. // }. //. // function continueExecution(). // {. // //finish doing things after the pause. // }.... // function showBtn(show) {. // if (show) {. // $("#nav-btn-download").attr("style", "display:flex");. // $("#nav-btn-buy").attr("style", "display:flex");. // sleep(10);. // $("#nav-btn-download").addClass("nav-btn-download-float");. // $("#nav-btn-buy").addClass("nav-btn-download-float");. // } else {. // $("#nav-btn-downloa

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\icon-arrow-down[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	161
Entropy (8bit):	4.963695140537128
Encrypted:	false
SSDEEP:	3:tRBRNqo8+lFAATcvUVFD7SLvDmJS4RKb58ZSFuH7pJTplHsRaOA9dcjBWaOA8cXx:tnrVli/UTumc4slvItrlMR69dcjBW6Zx
MD5:	AD58F59DC07CD7A4034FA8F537602AFB
SHA1:	8360F72790847F251F664C41860DD96F33B37DA6
SHA-256:	40E65D0B55BE5B041BDD578F7323091D73636E0C04F77E18ED2910BA2150C046
SHA-512:	08425F5B9DAB93FA056385084A8C3E06F8929F55F40C784F8FFDB0676BEA4324D57B94424573E3B44EA33B3ED5A841E5B29EC4C6BF05F151964B922637F2CD2D
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/icon-arrow-down.svg
Preview:	<svg width="12" height="8" viewBox="0 0 12 8" fill="none" xmlns="http://www.w3.org/2000/svg">.<path d="M11 1L6 6L1 1" stroke="#64A0FF" stroke-width="2"/>.</svg>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\icon-sem[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	2089
Entropy (8bit):	4.920854364101451
Encrypted:	false
SSDEEP:	48:rlLFzFUQKsZ+IpgmQgURvQOH5m17IcQLQQpKb00h7Q8BVHtmZia:nyj0amzqvt5m17d9Zph73Q9
MD5:	FFF9749C43F11A8597246C8D3A80ACBC
SHA1:	E6A86BDC89EBDD77845C70F7B9F758FAF3597BF4
SHA-256:	EF999C4A010CC02D018DEC08F60366EF270F1A97E4EDCA5D4D943DDBA3DFC194
SHA-512:	FEA65B24B9576D18F8D74BE42E00A854DEDED317435E6CCCA099A11630028AD2A5BB1A9C709D5CA4C23FD234A9B335ED67903CEEE76E75C1B110BB85D8E90C6A
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/icon-sem.svg
Preview:	<svg width="52" height="52" viewBox="0 0 52 52" fill="none" xmlns="http://www.w3.org/2000/svg">.<rect width="52" height="52" rx="6" fill="url(#paint0_linear)"/>.<g clip-path="url(#clip0)">.<path d="M24.25 24.6504C22.225 24.8834 20.5 26.6698 20.5 28.7669V35.2135C25 36.6116 28.75 36.6116 32.5 35.2135V28.7669C32.5 26.5922 31 24.7281 28.9 24.5728" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M26.8 16.8059C24.475 16.8059 22.675 18.7477 22.675 21.0778C22.675 22.5535 23.35 23.7962 24.4 24.5729C25.075 25.0389 25.9 25.3496 26.8 25.3496C27.7 25.3496 28.525 25.0389 29.2 24.5729C30.25 23.7962 30.925 22.5535 30.925 21.0778C30.925 18.7477 29.125 16.8059 26.8 16.8059Z" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M35.05 33.1942C37.6 33.3495 40 33.0388 42.25 32.1845V25.7379C42.25 23.5631 40.75 21.699 38.65 21.5437" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M36.5501 13.7766C34.2251 13.7766 32.425 15.7184 32.425 18.0485C32.425 19.5242 33.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\icon-sfk[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1539
Entropy (8bit):	5.064585442740482
Encrypted:	false
SSDEEP:	48:rlLyC7Dh71V7r7A7Ao7VEY7d7pV7L7a7Pl7z757a1g7n7kBVHtsXQ:QC7Dh7P7r7A7X7aY7d7/7L7a797z757m
MD5:	31F757FAE0E927E39DFCFCB28A06F2AD
SHA1:	E470DCB97990C2F7A5D325182AAF90147E6798CC
SHA-256:	ECCC2BEBC6A2318A2F647F6FF11A408BD42A8E2A266C485DCF2012E78E69454E
SHA-512:	E12204503BBC2184F78949C7AE1ECB99CE99FA63B8110E987ADE54A2029936456859BC097816F2B5AD1BF60779FCD7B0BD5FEE470D6C35FF5D3BE53D9BEE9E84
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/icon-sfk.svg
Preview:	<svg width="52" height="52" viewBox="0 0 52 52" fill="none" xmlns="http://www.w3.org/2000/svg">.<rect width="52" height="52" rx="6" fill="url(#paint0_linear)"/>.<rect x="11.6957" y="19.0002" width="29.3043" height="16.0869" rx="2" stroke="white" stroke-width="2"/>.<path d="M14.8695 22.8699L16.9973 22.8699" stroke="white" stroke-width="2"/>.<path d="M19.1249 22.8699L21.2526 22.8699" stroke="white" stroke-width="2"/>.<path d="M23.2173 22.8699L25.3451 22.8699" stroke="white" stroke-width="2"/>.<path d="M27.3915 22.8699L29.5192 22.8699" stroke="white" stroke-width="2"/>.<path d="M31.5654 22.8699L33.6932 22.8699" stroke="white" stroke-width="2"/>.<path d="M35.6984 22.8699L37.8261 22.8699" stroke="white" stroke-width="2"/>.<path d="M14.8695 27.0439L19.0434 27.0439" stroke="white" stroke-width="2"/>.<path d="M21.1304 27.044L23.2581 27.0439" stroke="white" stroke-width="2"/>.<path d="M25.3046 27.044L27.4323 27.0439" stroke="white" stroke-width="2"/>.<path d="M29.4784 27.044L31.6062 27.0439" st

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\icon-skm[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	3922
Entropy (8bit):	4.514282596632423
Encrypted:	false
SSDEEP:	96:BHR+iqaA1iJIkRlfhtU1N9BtXKqd1Tqovgn9//b7Hb7W7:JR+iqJ1cRlfhtUtBVTqomfHfa
MD5:	55E4A72CAECF0D6DD9DD568DD2DB458C
SHA1:	03EDAFB2BA955E6CDACF501E78C55C12466F1185
SHA-256:	352545D292527E9175EDE00A2EC6F66CF9A02B0AF4BD5F7838C096D6DB505C0F
SHA-512:	849A40EF530AAC32729417C3D793D68CE4F2738FA9DFD4DDB1E516FA73F7A9AB5A092BB735ABB0DDE2D8CA16B5ED30659DC1C04477EF7FBDB8A8E809F8AC5749
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/icon-skm.svg
Preview:	<svg width="52" height="52" viewBox="0 0 52 52" fill="none" xmlns="http://www.w3.org/2000/svg">.<rect width="52" height="52" rx="6" fill="url(#paint0_linear)"/>.<path d="M16.0941 39L13.7041 42.64L11.3041 39H9.91406V46H11.4141V41.68L13.2641 44.5H14.1341L15.9841 41.69V46H17.4841V39H16.0941ZM23.0382 44.76V43.23C23.0382 41.65 22.1182 41.06 20.6782 41.06C19.9382 41.06 19.2082 41.25 18.8182 41.38V42.58C19.2682 42.4 19.8582 42.22 20.5182 42.22C21.2682 42.22 21.6482 42.55 21.6482 43.03V43.2C21.3082 43.12 20.8882 43.07 20.5082 43.07C19.5482 43.07 18.3982 43.45 18.3982 44.67C18.3982 45.62 19.1782 46.14 20.0782 46.14C20.7882 46.14 21.3382 45.92 21.8082 45.55C22.0082 45.91 22.3782 46.09 22.8682 46.09C23.1382 46.09 23.4182 46.03 23.6382 45.95V45.04C23.5482 45.07 23.4582 45.08 23.3782 45.08C23.1982 45.08 23.0382 45.01 23.0382 44.76ZM20.8282 43.9C21.1182 43.9 21.4382 43.96 21.6482 44.01V44.76C21.3282 45.04 20.9582 45.15 20.5682 45.15C20.1482 45.15 19.8182 44.92 19.8182 44.56C19.8182 44.07 20.3182 43.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\icon-skmon[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	4857
Entropy (8bit):	4.491850620544103
Encrypted:	false
SSDEEP:	96:/5xf2JX6aSzUkz0wqbV7zWm73HR+iqaA1iJIkRlfhtU1N9oGViEML07:hIKaSwbpTXR+iqJ1cRlfhtUtO9Q
MD5:	2CD119AAB85B6F58D279045D1C424084
SHA1:	A5083B885186AB26D843A0DFDF2FAB1ED2D28891
SHA-256:	1D2663CF7C392F3795E2D2F243C827B5C90E79BE5FD7AE877C3BFBB9192E9971
SHA-512:	D4B0E2A2196A814219275809A128B61DF686B9A84BAB124E65C22D6A1766859F43C84DBF8654F0B5DE6957582AC4D28166F585F269BA210B853E6E57B0D5318D
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/icon-skmon.svg
Preview:	<svg width="52" height="52" viewBox="0 0 52 52" fill="none" xmlns="http://www.w3.org/2000/svg">.<rect width="52" height="52" rx="6" fill="url(#paint0_linear)"/>.<path d="M34.0713 35.0001C37.3456 35.0001 39.9999 32.3212 39.9999 29.0167C39.9999 25.7123 37.3456 23.0334 34.0713 23.0334C30.7969 23.0334 28.1426 25.7123 28.1426 29.0167C28.1426 32.3212 30.7969 35.0001 34.0713 35.0001Z" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M36.0935 13.6642L39.954 27.9963V29.0167C39.954 32.3098 37.2884 35 33.9794 35C30.6704 35 27.9588 32.3098 27.9588 29.0167L27.9128 14.128C27.9128 11.8553 29.7972 10 32.0491 10C34.1632 10 35.8637 11.577 36.0935 13.6642Z" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M16.9287 35.0001C20.203 35.0001 22.8574 32.3212 22.8574 29.0167C22.8574 25.7123 20.203 23.0334 16.9287 23.0334C13.6544 23.0334 11 25.7123 11 29.0167C11 32.3212 13.6544 35.0001 16.9287 35.0001Z" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M14.9065 1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\spyrix-products[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	95653
Entropy (8bit):	4.524888220602971
Encrypted:	false
SSDEEP:	384:2YGeb17Wt8X6qYxImgIOF+fCx3NglVJYMzswVllj8N8MK0ab9G976MAjsMuCI6zC:Z4PiKlb4V6MosMDhNNlU3aJHjDyHwU
MD5:	BE4CF17186ED04E5C3029028F31294BB
SHA1:	C21C3FFF85A6077383EDADFCF7037DA3F05FD570
SHA-256:	898C9375007F1BB9A9A09DAEE438367A0B96348011E587FFB788238CA135EF7A
SHA-512:	C52660960412261B30C9073B1163CC00989204ADC76950AE4120545623A71DDC4CF9988D1F44D11BCA46476ECADFFD9FDE9B4E9076C777194433650276789927
Malicious:	false
IE Cache URL:	https://www.spyrix.com/spyrix-products.php?from=sfk_install
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta charset="UTF-8">. <meta http-equiv="X-UA-Compatible" content="IE=edge">. <meta name="viewport" content="width=device-width, initial-scale=1">. <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />. <link rel="apple-touch-icon-precomposed" href="/favicon.ico">. <link rel="apple-touch-icon-precomposed" sizes="114x114" href="/favicon.ico">. <link rel="apple-touch-icon-precomposed" sizes="72x72" href="/favicon.ico">. <link rel="apple-touch-icon-precomposed" sizes="144x144" href="/favicon.ico">. <style>. @font-face{font-family:Mull-med;src:url(/fonts/MullerMedium.eot) format("eot"),url(/fonts/MullerMedium.woff) format("woff"),url(/fonts/MullerMedium.ttf) format("truetype");font-display:swap}@font-face{font-family:Mull-reg;src:url(/fonts/MullerRegular.eot) format("eot"),url(/fonts/MullerRegular.woff) format("woff"),url(/fonts/MullerRegular.ttf) format("truetype");font-display:swap}@font-face{font-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\MullerRegular[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 35472, version 0.0
Category:	downloaded
Size (bytes):	35472
Entropy (8bit):	7.985539327834748
Encrypted:	false
SSDEEP:	768:42L+MoNjPpLbl3mB7XgOq4p2B9bORYDhoTwR8Pq4P:4WUNjx3tmBbhpyCRY9oT4Y
MD5:	B14F220BC48C45645CFCB548105A6670
SHA1:	B7F96AEE77AE30AF81D0774E9918681927FA7E29
SHA-256:	EB2C9C3A03BA291111EC547055EF75BD389DFA2409C670A52DF943D2186D50B3
SHA-512:	9ABA3C912CAF010266E08922D9135DC9EA4D2901BE836E5F316F75FBC3B70F61BFDEDDD866FC02BD04005DF1F2B6694D850F9B3A6227D8967C1EE58C3542F0A7
Malicious:	false
IE Cache URL:	https://www.spyrix.com/fonts/MullerRegular.woff
Preview:	wOFF..............T(........................FFTM...t........".P.GDEF..b<...5...6...XGPOS..g..."...u....GGSUB..bt...n...j%.k.OS/2.......O...`..7.cmap................gasp..b4............glyf......J.......whead...X...6...6..mjhhea.......!...$.Q..hmtx...$.......v.._.loca...P.../...B...&maxp........... .i._name..XP.......g...spost..Zd........5..'.........8.._.<.........\|%.`.....(.R._..................x.c`d``........?..<.c...2`...tv.....x.c`d``R`.a`g..& f.B...0....n...x.c`frg...........................\|...(...)...AA..3.....w.........0..R....%..8.x..}h.U..s.].[S..9..:]{.mW........6.(.V..."F.Q..`P.Q...A.VP..(.?.....1.......Bo....n3......s...9..>..O.(......o.4.%.SZj7i.{B..1..}%L.j@..@5v.j...o....5....h...`}.b.I-.)~.0..B.z.J.k.)V...:[....\|....<..f..u...=.w.Np..:M.c...%8.N..3.V..\|..en..x......r.9..<.>.\.V.).F..^d.Tg>..G3..\K8o.....FUe.Sa.oU..'5......mn..~.v....3...q.y@sXk....T...C.YfPQ.S..m....j.gZk...w....!.kD;./Zcj3c.M+.......>..~.Lp.......\|.!...h.{H....W*..N..uf$h..:.t.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 184 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3029
Entropy (8bit):	7.775466271259918
Encrypted:	false
SSDEEP:	48:trqMHw1fogNoolwWy7d/fB/yKv8EwIgr4/0aMsVYU39z9p39AWToe8JhKtbmrLNV:tGAYfTlYH/Bv8dZc/04VYA9n3eWb8Ho6
MD5:	175BFAD4569B48687A15D43A4E9BB617
SHA1:	E28A5AC7818D8ACEDA0D2DE2C20DD922923C3BA5
SHA-256:	F97E3C0058E3352D1F3789F40CB76DBF2C6C085AFA7535BD38F4970F884B2A45
SHA-512:	658CC310C2A8FDBB32D48487CC7373B7D559AE55CB566C3669724F71ED9D86108F63E7A42B191A2A70CBCA47960E2591F7353261DCF5F0556AEDF1AB9F2D1501
Malicious:	false
Preview:	.PNG........IHDR.............P3&.....gAMA......a.....pHYs..!7..!7.3X.z....tEXtSoftware.paint.net 4.1.6.N.....SIDATx^..q.F....C....C..NeI....@.@.`......C....n......nw.3..y_.W.jqw...1..w........uY(.e.7.......-.....2.e.<.V....GX....y...Z.pZ.2o.aQ+.Nk[..#,je.im.y.E..8.m.7.......-.....2.e.<.V....GX.........OtN....@.y...Z].O.yG...e....-.y.E..8....0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.8...NB...0.$4.x0...O.........?=......+..40..H..sZ..6.........0.A..9..p..\|..\R.~.o...<.i]...U..d.....@nM..;...0..H;....NC.0.x..;...-.....v..P-.....2....C.0.x.R..B...[..<.2.K..6hlW-.....A;...E.....e...-..3[..<0.....W9+..a.'!m.....:[..O.L-..>13.0.8Y...0...".0.8y..-..NT...0...H-..N...0...zma.6..?..GX...Ao-..2o.aQ+.>...07-.....2...a..-.....2.1.}.k.S..#,je.cqmaz...y.E..x\.~.).....z..\|..........y...Z.._..!y.."oG.9g.0e.<..=...,W..].'.Z.2o.aQ........E....GX.Z#.WedH.....-L.7....f.7.....Z.2o.aQk..S..la.bO.S..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\flags[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 256 x 176, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	79881
Entropy (8bit):	7.991660240102433
Encrypted:	true
SSDEEP:	1536:1Y8IMjg1tD1NxXJ1SVkr1Iis2+VQ0OW3n3M/J3Vv6wJfIm:1Y1MjgrD31dr1eqaMBl/
MD5:	E8277D4B0E4FA234B797590859AF8506
SHA1:	D1676C5C72FDAB11DD6511312C9E22912D5E786B
SHA-256:	9BB25FB7788587D4D6DC12D70E89E7AFF8C24DFBDA518E8BD8325803F415D21A
SHA-512:	867D12381246E27E7EF6B0E5CC042EF1FFC9653F491956CEB0D059BEB1B0D600CE38854C9468BDF4B5532325C50FF570050B04D31EBE934DD69E9E41CB60AC64
Malicious:	false
IE Cache URL:	https://www.spyrix.com/css/flags/flags.png
Preview:	.PNG........IHDR....................pHYs..........+.... .IDATx...w..U..3...^..&.I.tJ.w...R^@.P....HP..P...." .....J.i..U @....$.n..S.?....n@_..\|.3s..3.=.s..;.....'.?Z`...`.D".o.1e.#.P..VU...?.0......q..../..o.h+:;;..B.V.[.)+.H_..nj...t ..=.....r..<.ac&.h6..8&..Q.5..d... 6..P...z.X.Oo#k../.@I..f&_%.N......0.....`..(.B....M..'g..._......../...s..S.\|bk..LBY...m..t...-.;. .`........"e...2.e.P.....a."......#L....&.....\|...)..Z.x..k...?E...6.s......f......N2{.}...........t.C6.%.....2.....<............"U.`U4._S>.o....W1......(.....M&#.V..I..d..X)0B`...?.^r...Xc.....5.h.Q(.PF..Dj.5..%3.A[[.?..O].Fc..)..&#.VJrRb...1..E.B.b......`..W...q.hj*5.MRX.x...6I>.PR"..NJF...Q.....CV...#.m...R.....onD..4...qkk..r....-.Mw...c.Y..oc..W..Zs..n..."P.#%FJ>..!hk#..t.....d..h.56.j.).Z.y......E....%..o..66b.o.s.U.`.3..k..0.1...z!.R.....o.O....$.k.6.X.`.m.6.4!.X.....v=.w..6.X.....v.(eHNu...gL...A.?P6a...."\~M?.Ck....Rd."..c.{..n.W..W...S.%.p3l..[......K

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\icon-semmac[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	4117
Entropy (8bit):	4.538762635185831
Encrypted:	false
SSDEEP:	96:BHR+iqaA1iJIkRlfhtU1N9trgGx+5IB1nKdvZhjz5HUZg3l:JR+iqJ1cRlfhtUt85hvZH42
MD5:	A720395897B4D22E1AB02EA1EC2634B0
SHA1:	E96C79A0F2C8E275A8CA15E588F1416BA178F76D
SHA-256:	B72BB5BDC2B53144D7CDD037F458A6976AC41BE02763CB73BBBC3976D7F098D9
SHA-512:	89483CB2FC05AA1B0A76A04440A531DA5FBEA88BC02062C87986AEB13F21311383AA28689E13C6751395E893E5BF7B2A025557D739919801DBB73476CE01B37E
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/icon-semmac.svg
Preview:	<svg width="52" height="52" viewBox="0 0 52 52" fill="none" xmlns="http://www.w3.org/2000/svg">.<rect width="52" height="52" rx="6" fill="url(#paint0_linear)"/>.<path d="M16.0941 39L13.7041 42.64L11.3041 39H9.91406V46H11.4141V41.68L13.2641 44.5H14.1341L15.9841 41.69V46H17.4841V39H16.0941ZM23.0382 44.76V43.23C23.0382 41.65 22.1182 41.06 20.6782 41.06C19.9382 41.06 19.2082 41.25 18.8182 41.38V42.58C19.2682 42.4 19.8582 42.22 20.5182 42.22C21.2682 42.22 21.6482 42.55 21.6482 43.03V43.2C21.3082 43.12 20.8882 43.07 20.5082 43.07C19.5482 43.07 18.3982 43.45 18.3982 44.67C18.3982 45.62 19.1782 46.14 20.0782 46.14C20.7882 46.14 21.3382 45.92 21.8082 45.55C22.0082 45.91 22.3782 46.09 22.8682 46.09C23.1382 46.09 23.4182 46.03 23.6382 45.95V45.04C23.5482 45.07 23.4582 45.08 23.3782 45.08C23.1982 45.08 23.0382 45.01 23.0382 44.76ZM20.8282 43.9C21.1182 43.9 21.4382 43.96 21.6482 44.01V44.76C21.3282 45.04 20.9582 45.15 20.5682 45.15C20.1482 45.15 19.8182 44.92 19.8182 44.56C19.8182 44.07 20.3182 43.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\icon-spm[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1899
Entropy (8bit):	4.930019722748769
Encrypted:	false
SSDEEP:	48:rlL/YswK+5L35rQstQIF9ocfFLOm/rQMJeguQ4Qb7e7kBVHt6W:dY2+V35rntdF9ocfFLOWr6guh07e7Wr
MD5:	4CE7B04D3BFCD15C02B524D9C36E8CC0
SHA1:	1C4A69B31B61A6BB762E2DC0CE409025D8760432
SHA-256:	CFE4DA5AF8F3C66A6B1A559FE3DFA6BF2CBD9745671126D670330954FF09A837
SHA-512:	80F157FA3C9A93EA388D7F2DE21D41B57CB168CBF0099A0D33D6093E9B1CBCB8834D390D05740C3CFF6F72BD720DA52A365653D2769BCC71F064D3BD36F76FD6
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/icon-spm.svg
Preview:	<svg width="52" height="52" viewBox="0 0 52 52" fill="none" xmlns="http://www.w3.org/2000/svg">.<rect width="52" height="52" rx="6" fill="url(#paint0_linear)"/>.<path d="M34.0713 38.0001C37.3456 38.0001 39.9999 35.3212 39.9999 32.0167C39.9999 28.7123 37.3456 26.0334 34.0713 26.0334C30.7969 26.0334 28.1426 28.7123 28.1426 32.0167C28.1426 35.3212 30.7969 38.0001 34.0713 38.0001Z" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M36.0936 16.6642L39.9542 30.9963V32.0167C39.9542 35.3098 37.2886 38 33.9795 38C30.6705 38 27.9589 35.3098 27.9589 32.0167L27.913 17.128C27.913 14.8553 29.7973 13 32.0493 13C34.1634 13 35.8638 14.577 36.0936 16.6642Z" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M16.9287 38.0001C20.203 38.0001 22.8574 35.3212 22.8574 32.0167C22.8574 28.7123 20.203 26.0334 16.9287 26.0334C13.6544 26.0334 11 28.7123 11 32.0167C11 35.3212 13.6544 38.0001 16.9287 38.0001Z" stroke="white" stroke-width="2" stroke-miterlimit="10"/>.<path d="M14.9065 1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\normalize.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	1815
Entropy (8bit):	4.930778225047068
Encrypted:	false
SSDEEP:	24:NLr2BM/YolPfXe7aXnQstpx0EB0vetET58hHLjD+NxrMyLQESmTywRez/rSsJjeK:FUwlnewZtpx0XeH3D+NGeQE3RezrnNqK
MD5:	AC230A49D6D655CC2498C292B6ACB158
SHA1:	001BD6D68A9B9AF5DD0158FE116889434F36B1FD
SHA-256:	09BA75E6EBF66DEDDEDC677311FF8ECC7A4D305C59122D1DDE290E7C103A5A85
SHA-512:	A575EFFE6AF1DD1771E59CC34BF7A02C3B80604A80EE37D878F0D54BF20F01D444D651FC8858448C548DB96A34159A8A5EE15CEB9EF0F34A83A2B7D4493E280C
Malicious:	false
IE Cache URL:	https://www.spyrix.com/css/libs/normalize.min.css
Preview:	/! normalize.css v8.0.1 \| MIT License \| github.com/necolas/normalize.css /html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}main{display:block}h1{font-size:2em;margin:.67em 0}hr{box-sizing:content-box;height:0;overflow:visible}pre{font-family:monospace,monospace;font-size:1em}a{background-color:transparent}abbr[title]{border-bottom:none;text-decoration:underline;text-decoration:underline dotted}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}img{border-style:none}button,input,optgroup,select,textarea{font-family:inherit;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\MullerMedium[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 36080, version 0.0
Category:	downloaded
Size (bytes):	36080
Entropy (8bit):	7.98811737000219
Encrypted:	false
SSDEEP:	384:ypcygihv6p8Lu3KY3FK17v758AaRQqOigWLu+andBnMkEYXd1zr0heQbl3tSMr0W:ypcoW3KYo8XRwWLAAYOb5PZqesHzsBp
MD5:	7ED952F5965EFEC3C42F02F4EA06EAD2
SHA1:	4A3CC1470A9E0FF2AA1346F2286E0B83FF276E40
SHA-256:	29F63E87EDF0C3CAEB51734C94DC29D9B17B2D2FF82B38F969EEEECB7E55919A
SHA-512:	CBFBB1474FC092EE52AE170825748CC5C746879383A62EE4E9144C71E39624122E862A70E1A24EDEB859AA0C076472B2A28111B4F8044FA57BB75789395BD473
Malicious:	false
IE Cache URL:	https://www.spyrix.com/fonts/MullerMedium.woff
Preview:	wOFF..............R.........................FFTM............".P.GDEF..d....5...6...XGPOS..i...#...t\|0..GSUB..dL...n...j%.k.OS/2.......M...`..7.cmap................gasp..d.............glyf......L....H..@.head...X...6...6..m_hhea.......!...$.j..hmtx...$.......v..WAloca...P...0...BF...maxp........... .i.]name..Z....(.....F..post..\<........5..'...........2_.<.........\|%.`.....(.Q.`..................x.c`d``.......?....o...2`...xf.,...x.c`d``R`.b`g..& f.B...0....<...x.c`f.c...........................\|...(...)..H)..b.........P.t.....= 9.f.C..c...x.U_L.U.=...D...HW...".A...F....,.,.%.8uJ..,......../&.&.d.eKft&&..\|P.........2......_..S.$9...-...w..b..G../....z.qy.!.&}...s4a..14.....R...."u.[q..j.k...yl.>4. ..#..^..h.z..(.....v..!u....I..#..c.\B.L`X.!?.G.}.......p-X%.1._'s_7.AN..!.v3.~.....y.z.........Z...9@..&D.W...s["..4.j.9........:.$na.n9.I.]w..H.}.3..z....:........P..p.u(P..?..n..)..!$..&~.e..I`.L.Z.}..~.3..../clG..@L=.J5...._.T.G..#.o.y.....e.....s2...=..Z.G\.]Pg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\analytics[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	47051
Entropy (8bit):	5.516264124030958
Encrypted:	false
SSDEEP:	768:ryOveCSBZfsnt5XqY/yPndFTkoWY3SoavqVy2rlebYUDTJC6g0stZm:ryJNDfs5hYdFTwY3SorSg0su
MD5:	53EE95B384D866E8692BB1AEF923B763
SHA1:	A82812B87B667D32A8E51514C578A5175EDD94B4
SHA-256:	E441C3E2771625BA05630AB464275136A82C99650EE2145CA5AA9853BEDEB01B
SHA-512:	C1F98A09A102BB1E87BFDF825A725B0E2CC1DBEDB613D1BD9E8FD9D8FD8B145104D5F4CACA44D96DB14AC20F2F51B4C653278BFC87556E7F00E48A5FA6231FAD
Malicious:	false
IE Cache URL:	https://www.google-analytics.com/analytics.js
Preview:	(function(){/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var l=this\|\|self,m=function(a,b){a=a.split(".");var c=l;a[0]in c\|\|"undefined"==typeof c.execScript\|\|c.execScript("var "+a[0]);for(var d;a.length&&(d=a.shift());)a.length\|\|void 0===b?c=c[d]&&c[d]!==Object.prototype[d]?c[d]:c[d]={}:c[d]=b};var q=function(a,b){for(var c in b)b.hasOwnProperty(c)&&(a[c]=b[c])},r=function(a){for(var b in a)if(a.hasOwnProperty(b))return!0;return!1};var t=/^(?:(?:https?\|mailto\|ftp):\|[^:/?#]*(?:[/?#]\|$))/i;var u=window,v=document,w=function(a,b){v.addEventListener?v.addEventListener(a,b,!1):v.attachEvent&&v.attachEvent("on"+a,b)};var x={},y=function(){x.TAGGING=x.TAGGING\|\|[];x.TAGGING[1]=!0};var z=/:[0-9]+$/,A=function(a,b,c){a=a.split("&");for(var d=0;d<a.length;d++){var e=a[d].split("=");if(decodeURIComponent(e[0]).replace(/\+/g," ")===b)return b=e.slice(1).join("="),c?b:decodeURIComponent(b).replace(/\+/g," ")}},D=function(a,b){b&&(b=String(b).toLowerCase());if("p

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\icon-spmpro[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	2983
Entropy (8bit):	4.731720609703365
Encrypted:	false
SSDEEP:	48:rlLZvUUfhi5u9L5fiHEq4NrQoqLRQAdQzr/yiQMyZ9BPQF9Q6z7r7f7kBVHt6W:NNAkq4NrZwR9d2r/rq1qR3r7f7Wr
MD5:	31BF7DC564F000B3A02216B4E9F0D3A5
SHA1:	CB17AAD00F51ECA99D3D712A270D5A9511622433
SHA-256:	8ADCCFB0D1C51BBFD67BC8D9A5009E05D8046274A694729DE70BE9E90696077B
SHA-512:	8EF6536B5041EBD18288DB57673997DF2E695AB05115E1C7EF21FE78C3C6755905E9649AA046E16DC8C0D3BA92F7200616A6E43EA94A91BC9170A912D4EA5A58
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/icon-spmpro.svg
Preview:	<svg width="52" height="52" viewBox="0 0 52 52" fill="none" xmlns="http://www.w3.org/2000/svg">.<rect width="52" height="52" rx="6" fill="url(#paint0_linear)"/>.<rect x="22.9153" width="29.0847" height="13.2203" rx="6" fill="#D60A2E"/>.<path d="M27.3141 3.6438V10.6438H28.8141V8.3438H29.9541C31.6441 8.3438 32.9741 7.8038 32.9741 5.9938C32.9741 4.1838 31.6441 3.6438 29.9541 3.6438H27.3141ZM31.4441 5.9938C31.4441 6.8138 30.7941 7.0238 30.0241 7.0238H28.8141V4.9638H30.0241C30.7941 4.9638 31.4441 5.1638 31.4441 5.9938ZM35.4743 10.6438V8.1938H36.5743L38.4643 10.6438H40.1943L38.1043 8.0038C38.9543 7.7338 39.6343 7.1238 39.6343 5.9238C39.6343 4.1538 38.2143 3.6438 36.8543 3.6438H33.9743V10.6438H35.4743ZM35.4743 4.9638H36.9243C37.5543 4.9638 38.1043 5.2338 38.1043 5.9538C38.1043 6.6638 37.5543 6.9438 36.9243 6.9438H35.4743V4.9638ZM40.5471 7.1438C40.5471 9.0438 41.7871 10.7838 44.2671 10.7838C46.7471 10.7838 47.9871 9.0438 47.9871 7.1438C47.9871 5.2438 46.7471 3.5038 44.2671 3.5038C41.7871 3.503

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\no[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	270
Entropy (8bit):	4.930112395684024
Encrypted:	false
SSDEEP:	6:tnrVzUWRumc4slZRIuHF39hawlZFmqZuqRIj49hawlZFmqZZ:trVzvRui431ljhuDj41ljhZ
MD5:	D3CEF12C5AEACFD2F197B3735F1426E0
SHA1:	C8D41C6A16CE551C265BB0297EF1165587B03C94
SHA-256:	F097CE5E12A91B17B1264648B64C4E454EE27CA1E2B4E92B3606AF2E4EE71D97
SHA-512:	BEE534A12C92D917ABFA88D73F0132B2CEDD79F71FD24638153716D7F9AD6652AE94454FA2D2EB0625641197692EFE1CCD303595AA317C2D4784EEC26B8753B6
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/no.svg
Preview:	<svg width="12" height="12" viewBox="0 0 13 13" fill="none" xmlns="http://www.w3.org/2000/svg">. <path d="M1 1L12 12" stroke="#D60A2E" stroke-width="2" stroke-linecap="round"/>. <path d="M12 1L1 12" stroke="#D60A2E" stroke-width="2" stroke-linecap="round"/>.</svg>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\spyrix-products[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180
Entropy (8bit):	4.512703088518611
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP1hqwcWWGpvGyy:q43tISl6kXiMIWSU6XlI5LPKpfGpfy
MD5:	873834655AEB19D8D97657E40A20425C
SHA1:	93704C4ED90F1A73C2B5626A21FFD4E74BC54E8D
SHA-256:	8F8D5AB1ED147A93A9F78B13BB62941BCD974A9642586B4F221644E3284B369D
SHA-512:	5862183A9EFDAACE1B0A612D93F428961D265BD27BA8AD094E53BE03551FEB95769C08B103DF13A5B38C69CA9C451343E48D0E950D5A4ABC7BC8CAF3FAED3D6C
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.17.3</center>..</body>..</html>..l>....0....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\style.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	6816
Entropy (8bit):	5.0746382239017125
Encrypted:	false
SSDEEP:	96:sPMJXgh4DQgltqDt4UAmyCdR631VPd3JJ1423v3oS98jwbfmWl:SMpaVLt4UACdR63l14s/f98qfmI
MD5:	9624F53B6661EA0481CF034FF576B484
SHA1:	5D0E268B0EDFC1BCE3159EC613CC17ACBD3719C6
SHA-256:	86C49145F79ED1B6FD5FA2B1C2C261C8ABC5D1F2EFA1F8D7F256A2C81BD1F25A
SHA-512:	3F10CE859519CFF7F49A15169495A2C97D0C0F11D0C394E756AC2A03B8584E53F75D98C48A9EED8D51813EF113761020A503AC29609B98AD630AC7E10354C24A
Malicious:	false
IE Cache URL:	https://www.spyrix.com/css/style.min.css
Preview:	aside.screenshots{margin:25px 0;background-color:#f8f8f8}section>h2{margin:25px 0}.yes{background:url(/images/icon/yes.svg) no-repeat!important;width:14px;height:12px;display:inline-block;position:relative;top:4px}.no{background:url(/images/icon/no.svg) no-repeat!important;width:14px;height:12px;display:inline-block;position:relative;top:3px}.btn-center{margin:auto}.btn-outline{border:1px solid}.btn-outline-primary{border-color:#64a0ff;color:#64a0ff}.btn-outline-primary:active,.btn-outline-primary:focus,.btn-outline-primary:hover{color:#fff;background-color:#64a0ff}.btn-outline-success{border-color:#61bd29;color:#61bd29;box-shadow:0 4px 4px rgba(97,189,41,.25)}.btn-outline-success:active,.btn-outline-success:focus,.btn-outline-success:hover{color:#fff;background-color:#61bd29}.img-rounded{border-radius:50%}.user-icon{height:64px;width:64px!important;display:inline!important}#navigation div ul li#nav-btn-buy,#navigation div ul li#nav-btn-download{display:none;right:-3000px;position:rela

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\yes[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	225
Entropy (8bit):	5.042040506945538
Encrypted:	false
SSDEEP:	6:tnrLNU6Dumc4slZRIRknaWR69xLZFmqZllZ:trLNTDuiRwaW47LjhllZ
MD5:	B700C70510103CDE97799B00D4F55157
SHA1:	B0C52AFB8B892EF9FD6FEFFFAE88F835D387A0C6
SHA-256:	E228A1A865365D505673C384582E39084063A542841715BCD45172AEB8162C13
SHA-512:	B82D9AC5354876FD843EA43DE121970FADE95F21A5C8B91582EECDB087A5EEF7983CF00664D11B4672CF5CC07AB5E7ACEEB8407786328CE9EC8361E4CFAB2B1B
Malicious:	false
IE Cache URL:	https://www.spyrix.com/images/icon/yes.svg
Preview:	<svg width="14" height="10" viewBox="0 0 14 10" fill="none" xmlns="http://www.w3.org/2000/svg">. <path d="M1 4.03448L5.59574 9L13 1" stroke="#424B53" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>.</svg>

C:\Users\user\AppData\Local\Temp\is-9A0F1.tmp\_isetup\_iscrypt.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-9A0F1.tmp\_isetup\_setup64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp Download File
Process:	C:\Users\user\Desktop\sfk_setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1210368
Entropy (8bit):	6.401532174774316
Encrypted:	false
SSDEEP:	24576:3tdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5JTx91m:dqTytRFk6ek1vS
MD5:	E40F7EB5C693C2D90A28CBA04D85D286
SHA1:	B081C53F7C434D5BB222063424E1F55DF4E5711F
SHA-256:	EC222809779FEE97116D2367D269FC06F9B7EA8633EF60F79DE7734066F1CBBD
SHA-512:	57C52261EC6A5BA9188E765A86AC04D682C4285BBBEDA0539A2C8659AC28AA9CF264E75E103E351418A2B35A61E3BEB38603245767B5EA4F0B2A9A1AAD91C667
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W.....................z......l........ ....@..........................@............@......@..............................@8...0..H.................................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc...H....0.......l..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF32B1555101E68AA6.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29745
Entropy (8bit):	0.31122422556828777
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laARaET69laA4:kBqoxxJhHWSVSEabZGQ2y
MD5:	80056620453A761DC8A7227A8A5D871C
SHA1:	62D17E56FCDC28998C6851DD3BCB3ADA86AC44B3
SHA-256:	B1B67573E5A0A56828EC99F88A294C6A09A5E6DC1C8A86B4A1FB9D657C487216
SHA-512:	04516F2EE0832D96845482916BA16B0A8216EE140163274D0BF99555BAB7E79D92ADD14D1DB8670871D4EE02EC5FD0B4CC5B19768402363CF66833A870157B4C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF63BD00F0C1199366.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34569
Entropy (8bit):	0.47276627500423
Encrypted:	false
SSDEEP:	48:kBqoxKgXAXByXiyXgXLXSX8XpsXqvs+T:kBqoxKgQxySywbisZsos
MD5:	99BEF0EA315C9A644FB416CE7DE2FAD7
SHA1:	A4FE1CAD54CAF28116B7A66106E6B3BDF1DB3645
SHA-256:	E92CCEBC54ABC3740D282FA38C69F37D6CCD591CBECD04C01C562A1A9C5C6AFD
SHA-512:	1CFD782F5A060C688FFDC67927E6CABD579689FDCD12BDDAAEA3D2E6380D2E388C9095885D7019001C88D40195662DFE341AC268549491E7B04A76949D0F0E12
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8FFFF6B2AC06C4DD.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13077
Entropy (8bit):	0.49825255552411185
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loLVF9loLP9lWLWYbt2tNhYbGoqhqhhqo:kBqoIUKLqG
MD5:	3E4593F87883EA698BED28BEA7DC2075
SHA1:	B8D5107B5EDD82CD31739EF5384B425217AD9E29
SHA-256:	1C2B4BBC7374B1D84FB32A6818B5B132D5D36E47995D72F50C706F0C88FC4B65
SHA-512:	ADC37D5BF660D2A6149C2D96BE5AA0B81BF3DA612C8132E570A0AF5B325A86B846DC9EF6D2743577EAF420D3BA3625DB058BC1F8E4BA96B4119B8BB95DF179FC
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 14 06:59:00 2020, length=5197960, window=hide
Category:	dropped
Size (bytes):	1899
Entropy (8bit):	3.4147878409702357
Encrypted:	false
SSDEEP:	24:8BoLzWNBzIgQqAU6YQfVX8sDVX8w4VX89kW0HYxeZ89ip1mC1mEm:8Ss0g8UPQf+4+w4+9kWz99i1l
MD5:	5D4F866F7E84D1283766D295A0D2B543
SHA1:	685F7EC649B9427F1C30314A69124E555F437E4F
SHA-256:	9B5CCC2E0C45025EF57B3C024AB66E0494AD2CA27B6EA54E20A7F5D54D8B0056
SHA-512:	3630D1A722FD2E39CCFCA8F103AF50054301F8D6AC52B4006969684B67B3FDA4E90E253597BB6D8CAA7253C14B08692B0DADED97829699F7765ACF2C9EFC28C6
Malicious:	false
Preview:	L..................F.@.. .....:......Qj........z.....PO..........................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....Z.2..PO..P`? .spkl.exe..B......,Ri.,Ri...../i........................s.p.k.l...e.x.e.......m...............-.......l............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe..D.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.s.p.k.l...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.>.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.m.a.i.n...i.c.o.........%ALLUSERSPROFILE%\{827D21CC-A22D-45D6-23CA-451DDAC

C:\Windows\runkey.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	472200
Entropy (8bit):	7.7873657676638235
Encrypted:	false
SSDEEP:	12288:371h6fR7jmI888888888888W88888888888ZAj5YDipXjATWA91e7YvtrnB0:Ym82ErtT6
MD5:	E3B46D53294CF1AA1FC45441D16AFCF5
SHA1:	6A138606CDA29DE3A19FABEEA5B78A73E8BFC059
SHA-256:	20D4BCD662E42C436AF424E44D663511D85DCBBA52FB12E1524EE1FB3E3C6810
SHA-512:	73DDF64994025A757B14D28F3FB2A42BF17E5AEB87C72C22A96E7F541C9A133296FA8D0D2F145587FF16565F1290E9FAD1BF517C6200083624A6F3D26EB643DD
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...jx.].....................(....................@..........................p.......X...........@..........................\|........................................................................................................................................f..................@........................j..............@............ ...........p..............@............`...........v..............@................P.......v..............@................`......................@................p......................@............p.......4..................@....rsrc...............................@....data................Z..............@....adata.......`......................@...........................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99949179236823
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sfk_setup.exe
File size:	24086096
MD5:	945d981860358a2da40321783865f6da
SHA1:	df551d918354421e60b458cbd7a9032080835bc9
SHA256:	407ae7a2edaae00d7e109b746153310fcfed60104687bde65b90b9a46c85f655
SHA512:	e430c21007912817794c63721f7bfa03ef29731210d2d5c4ad1016e9fd7e9819b7313fca8acee9cf688e62bb9d8702e17f3fa6433334994fbe0e5b48499eb8b7
SSDEEP:	393216:Jke/HXgYtDypsYf1cfKdsVQjL2DL7ybBgK2jfQg/J13nM3D58YOEhDSwF/4v9tp6:2kX1lqH1aLQL2LOgpLlnc58oDDgtq1bT
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	f2699df1626d79b0

Static PE Info

General
Entrypoint:	0x4117dc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x57051F88 [Wed Apr 6 14:39:04 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	20dd26497880c05caed9305b3c8b9109

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/25/2019 4:00:00 PM 12/25/2020 3:59:59 PM
Subject Chain	CN=Craft LLC, O=Craft LLC, STREET="Melkombinatovsky travel, 8a5 office;1st floor", L=Kirov, S=Kirov Region, PostalCode=610017, C=RU
Version:	3
Thumbprint MD5:	763472766FF80241B7745A9B34379D5F
Thumbprint SHA-1:	7EC79998CC60F60CBCF8C5287C888C619CEB74E7
Thumbprint SHA-256:	FFC8E2421577BAD82677C42BB4B73265A83138800666C24BE2F59B5664AD42AF
Serial:	0771722FC86D51EDCD1D9B6DCCDB9919

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 00410144h
call 00007FF2FC91053Dh
xor eax, eax
push ebp
push 00411EBEh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00411E7Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [00415B48h]
call 00007FF2FC918C83h
call 00007FF2FC9187D2h
cmp byte ptr [00412ADCh], 00000000h
je 00007FF2FC91B77Eh
call 00007FF2FC918D98h
xor eax, eax
call 00007FF2FC90E5D5h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FF2FC91581Bh
mov edx, dword ptr [ebp-14h]
mov eax, 00418658h
call 00007FF2FC90EBAAh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [00418658h]
mov dl, 01h
mov eax, dword ptr [0040C04Ch]
call 00007FF2FC916132h
mov dword ptr [0041865Ch], eax
xor edx, edx
push ebp
push 00411E26h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FF2FC918CF6h
mov dword ptr [00418664h], eax
mov eax, dword ptr [00418664h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FF2FC91B7BAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19000	0xe04	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x12850	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x16f6dc8	0x1888
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19304	0x214	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf244	0xf400	False	0.548171746926	data	6.37521350405	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x11000	0xf64	0x1000	False	0.55859375	data	5.73220066616	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc88	0xe00	False	0.253348214286	data	2.29672090879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x13000	0x56bc	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x19000	0xe04	0x1000	False	0.321533203125	data	4.59781255771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x1a000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x18	0x200	False	0.05078125	data	0.20448815744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x12850	0x12a00	False	0.187460675336	data	5.0847150123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1c44c	0x4228	data	English	United States
RT_ICON	0x20674	0x25a8	data	English	United States
RT_ICON	0x22c1c	0x10a8	data	English	United States
RT_ICON	0x23cc4	0xcd8	data	English	United States
RT_ICON	0x2499c	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0x24e04	0x68	data
RT_STRING	0x24e6c	0xd4	data
RT_STRING	0x24f40	0xa4	data
RT_STRING	0x24fe4	0x2ac	data
RT_STRING	0x25290	0x34c	data
RT_STRING	0x255dc	0x294	data
RT_RCDATA	0x25870	0x82e8	data	English	United States
RT_RCDATA	0x2db58	0x10	data
RT_RCDATA	0x2db68	0x150	data
RT_RCDATA	0x2dcb8	0x2c	data
RT_GROUP_ICON	0x2dce4	0x4c	data	English	United States
RT_VERSION	0x2dd30	0x4f4	data	English	United States
RT_MANIFEST	0x2e224	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges

Version Infos

Description	Data
LegalCopyright
FileVersion
CompanyName
Comments	This installation was built with Inno Setup.
ProductName
ProductVersion
FileDescription
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 17:59:42.483756065 CET	49746	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.484730005 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.618139029 CET	80	49747	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.618268013 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.618953943 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.621529102 CET	80	49746	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.621646881 CET	49746	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.751964092 CET	80	49747	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.752037048 CET	80	49747	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.752116919 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.764344931 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.898768902 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.898996115 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.913793087 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.047821045 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048188925 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048230886 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048274040 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048297882 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.048301935 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048352957 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.048372030 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.051188946 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.051254988 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.113617897 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.119852066 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.248575926 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.250466108 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.293092966 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309756041 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309809923 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309845924 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309883118 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309954882 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.309964895 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310015917 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.310039997 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310094118 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.310118914 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310164928 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.310185909 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310220003 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310319901 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.310326099 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.452526093 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.465100050 CET	49746	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.465136051 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.469568014 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.469605923 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.470282078 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.470335960 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.471849918 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.586801052 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587321997 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587374926 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587445974 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587486029 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.587493896 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587519884 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.587537050 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.587546110 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587590933 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587599039 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.588327885 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.590691090 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.598434925 CET	80	49747	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.599673033 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.602674961 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.602803946 CET	80	49746	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.602938890 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.602960110 CET	49746	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.603108883 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.603916883 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.604854107 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.605041981 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.605103016 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.605268002 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.605881929 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.606201887 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.611850023 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.612154961 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.612189054 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.612505913 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.613655090 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.725737095 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.725804090 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.725894928 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.725955009 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.728725910 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.754601002 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754635096 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754654884 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754689932 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754714966 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754755974 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.754812956 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754832983 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754851103 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754868984 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.754873991 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754894018 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754911900 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.754993916 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.754995108 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.756728888 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.756773949 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.757164001 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.757215977 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.759677887 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.770554066 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.771007061 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.772471905 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.773585081 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.774092913 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.863483906 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.863527060 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.863562107 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.863600016 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.863636017 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.863774061 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.863861084 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.863892078 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.865025997 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.867558956 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.894083023 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.894478083 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.895273924 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.895421982 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.905249119 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.905693054 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.905718088 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.905735970 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.905757904 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.905776024 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.905802965 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.905864954 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.906987906 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.907015085 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.907299995 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.907957077 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.907998085 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.908035040 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.908595085 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.908615112 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.908632040 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.908643007 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.908649921 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.908680916 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.909252882 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909271955 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909286976 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.909336090 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909353971 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909372091 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909373045 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.909401894 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909420967 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909430027 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.909441948 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909446955 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.909461021 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909467936 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.909473896 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.909478903 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.909503937 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.909533024 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.916389942 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.918428898 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.918682098 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.920722961 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.002358913 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.002412081 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.002537966 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.002585888 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.009536982 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.030272961 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.030343056 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.030385017 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.030390978 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.030450106 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.030623913 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.037276030 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.051583052 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.051628113 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.051723003 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.051811934 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.052426100 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.052464962 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.052948952 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.053610086 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.053647995 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.053699017 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.053735018 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.053740025 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.053750992 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.053776979 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.053919077 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.054023981 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.054063082 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.054097891 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.054116964 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.054145098 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.054160118 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.054193020 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.054279089 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.090267897 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144222021 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144264936 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144300938 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144360065 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144404888 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144412994 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144447088 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144450903 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144496918 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144505978 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144542933 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144543886 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144598961 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144639015 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144643068 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144679070 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144717932 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144727945 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144785881 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144824028 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144862890 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144920111 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.144922018 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.144989014 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.145112038 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.145173073 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.145225048 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.145258904 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.145296097 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.145306110 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.145446062 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.172323942 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.172363043 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.172398090 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.172432899 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.172450066 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.172475100 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.172493935 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.201459885 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.202100992 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.217598915 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.223934889 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.223975897 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224024057 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224065065 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224117041 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224150896 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224167109 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224194050 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224231005 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224288940 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224292040 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224334002 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224390030 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224406958 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224447012 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224503994 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224483967 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224549055 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224576950 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224606037 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224636078 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224689007 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224697113 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224745989 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224802017 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224812984 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224853039 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.224905014 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.224910975 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.225039005 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.279582024 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279623985 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279660940 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279674053 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.279695034 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.279696941 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279709101 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.279742956 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279783964 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279798985 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.279819965 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279855967 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279866934 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.279887915 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.279933929 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.336325884 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336393118 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336445093 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336488008 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.336493015 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336533070 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.336539984 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336648941 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336657047 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.336689949 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.336699009 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336708069 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.336751938 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336774111 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.336796045 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336837053 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.336870909 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.337075949 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.337521076 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.337609053 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.351752043 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.353003979 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.358129978 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358186960 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358226061 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358236074 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.358263969 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358288050 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.358302116 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358334064 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.358339071 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358371019 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.358386993 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358390093 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.358447075 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358460903 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.358484983 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358524084 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.358551025 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.358581066 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471060991 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471115112 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471151114 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471188068 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471225977 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471247911 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471268892 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471272945 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471313953 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471349955 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471400023 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471446991 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471457005 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471462011 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471467018 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471528053 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471545935 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471575975 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471594095 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471626043 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471673965 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471709013 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471729040 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471740007 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471781969 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471822023 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471853018 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471865892 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471904993 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.471935987 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471961021 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.471965075 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.472083092 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606105089 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606149912 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606187105 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606216908 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606245995 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606277943 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606292963 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606336117 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606372118 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606409073 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606415987 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606426954 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606448889 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606483936 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606518984 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606519938 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606558084 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606590033 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606605053 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606647015 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606678009 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606683016 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606719971 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606750011 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606806993 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606861115 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606901884 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606940031 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.606944084 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606972933 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606978893 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.606980085 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607021093 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607049942 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.607054949 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.607120037 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.607136965 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607187033 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607219934 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.607299089 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607353926 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.607367992 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.607387066 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607430935 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607454062 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.607476950 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607486963 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.607520103 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607547045 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:44.607661009 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:44.972995043 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:45.107657909 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:45.107698917 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:45.107733011 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:45.107745886 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:45.107827902 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:45.107846022 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:59.051991940 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.052021980 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.052072048 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:59.052115917 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:59.150693893 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.150721073 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.150819063 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:59.223172903 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.223203897 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.223313093 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:59.223368883 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:59.337043047 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.337064981 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.337168932 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:59.352193117 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.352211952 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:59.355860949 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:00:00.107770920 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 18:00:00.107817888 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 18:00:00.107891083 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:00:00.107990980 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.221117973 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.221134901 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.221532106 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.221565008 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.222457886 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.222477913 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.223543882 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.223561049 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.223992109 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.224014044 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.225197077 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 18:01:32.225213051 CET	49752	443	192.168.2.3	54.39.133.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 17:58:42.740089893 CET	53023	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:42.788237095 CET	53	53023	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:43.606468916 CET	49563	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:43.654539108 CET	53	49563	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:44.545748949 CET	51352	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:44.602273941 CET	53	51352	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:46.714562893 CET	59349	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:46.763588905 CET	53	59349	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:47.755930901 CET	57084	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:47.803766966 CET	53	57084	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:48.533551931 CET	58823	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:48.581424952 CET	53	58823	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:53.237919092 CET	57568	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:53.286305904 CET	53	57568	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:54.134023905 CET	50540	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:54.187947989 CET	53	50540	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:55.017010927 CET	54366	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:55.064964056 CET	53	54366	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:55.820069075 CET	53034	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:55.868105888 CET	53	53034	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:56.678369045 CET	57762	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:56.726350069 CET	53	57762	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:57.494085073 CET	55435	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:57.541990042 CET	53	55435	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:58.311652899 CET	50713	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:58.362329960 CET	53	50713	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:12.790934086 CET	56132	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:12.841727972 CET	53	56132	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:20.220263958 CET	58987	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:20.278008938 CET	53	58987	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:27.469937086 CET	56579	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:27.528049946 CET	53	56579	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:31.911442041 CET	60633	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:31.974312067 CET	53	60633	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:33.320950985 CET	61292	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:33.379729986 CET	53	61292	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:36.437645912 CET	63619	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:36.493783951 CET	53	63619	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:41.218703985 CET	64938	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:41.270613909 CET	61946	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:41.276972055 CET	53	64938	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:41.335743904 CET	53	61946	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:42.405960083 CET	64910	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:42.464117050 CET	53	64910	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:43.465065956 CET	52123	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:43.534511089 CET	53	52123	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:44.996952057 CET	56130	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:45.056008101 CET	53	56130	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:47.764730930 CET	56338	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:47.835721970 CET	53	56338	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:11.194204092 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:11.242177010 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:12.079523087 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:12.136121988 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:12.191696882 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:12.248117924 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:13.083915949 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:13.140383959 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:13.191121101 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:13.247313023 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:14.136617899 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:14.184643030 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:15.191504002 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:15.247745037 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:16.144259930 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:16.192390919 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:19.232702971 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:19.289062023 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:20.160113096 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:20.208046913 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:21.074881077 CET	63978	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:21.122796059 CET	53	63978	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:38.154186964 CET	62938	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:38.205246925 CET	53	62938	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:38.603552103 CET	55708	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:38.675530910 CET	53	55708	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:35.698355913 CET	56803	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:35.804193020 CET	53	56803	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:36.441159964 CET	57145	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:36.497481108 CET	53	57145	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:38.153460979 CET	55359	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:38.214943886 CET	53	55359	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:38.685592890 CET	58306	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:38.757034063 CET	53	58306	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:39.297667027 CET	64124	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:39.356237888 CET	53	64124	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:40.050431013 CET	49361	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:40.106930971 CET	53	49361	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:40.786555052 CET	63150	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:40.843008995 CET	53	63150	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:41.999900103 CET	53279	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:42.058938980 CET	53	53279	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:43.430733919 CET	56881	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:43.487091064 CET	53	56881	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:44.163132906 CET	53642	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:44.222630978 CET	53	53642	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 11, 2021 17:59:41.270613909 CET	192.168.2.3	8.8.8.8	0x3680	Standard query (0)	www.spyrix.com	A (IP address)	IN (0x0001)
Jan 11, 2021 17:59:42.405960083 CET	192.168.2.3	8.8.8.8	0x5aef	Standard query (0)	www.spyrix.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 11, 2021 17:59:41.335743904 CET	8.8.8.8	192.168.2.3	0x3680	No error (0)	www.spyrix.com	spyrix.com		CNAME (Canonical name)	IN (0x0001)
Jan 11, 2021 17:59:41.335743904 CET	8.8.8.8	192.168.2.3	0x3680	No error (0)	spyrix.com		54.39.133.136	A (IP address)	IN (0x0001)
Jan 11, 2021 17:59:42.464117050 CET	8.8.8.8	192.168.2.3	0x5aef	No error (0)	www.spyrix.com	spyrix.com		CNAME (Canonical name)	IN (0x0001)
Jan 11, 2021 17:59:42.464117050 CET	8.8.8.8	192.168.2.3	0x5aef	No error (0)	spyrix.com		54.39.133.136	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.spyrix.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	54.39.133.136	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 11, 2021 17:59:42.618953943 CET	3840	OUT	GET /spyrix-products.php?from=sfk_install HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: www.spyrix.com Connection: Keep-Alive
Jan 11, 2021 17:59:42.752037048 CET	3841	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.17.3 Date: Mon, 11 Jan 2021 16:59:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://www.spyrix.com/spyrix-products.php?from=sfk_install Strict-Transport-Security: max-age=0; Data Raw: 61 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 37 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a9<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.17.3</center></body></html>0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 11, 2021 17:59:43.051188946 CET	54.39.133.136	443	192.168.2.3	49748	CN=spyrix.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Nov 10 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Sun Dec 12 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: sfk_setup.exe PID: 6736 Parent PID: 5780

General

Start time:	17:58:52
Start date:	11/01/2021
Path:	C:\Users\user\Desktop\sfk_setup.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\sfk_setup.exe'
Imagebase:	0x400000
File size:	24086096 bytes
MD5 hash:	945D981860358A2DA40321783865F6DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: sfk_setup.tmp PID: 6772 Parent PID: 6736

General

Start time:	17:58:53
Start date:	11/01/2021
Path:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp' /SL5='$2A0068,23551647,152064,C:\Users\user\Desktop\sfk_setup.exe'
Imagebase:	0x400000
File size:	1210368 bytes
MD5 hash:	E40F7EB5C693C2D90A28CBA04D85D286
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: regedit.exe PID: 6364 Parent PID: 6772

General

Start time:	17:59:24
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\regedit.exe
Wow64 process (32bit):	true
Commandline:	'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1'
Imagebase:	0xfa0000
File size:	316416 bytes
MD5 hash:	617538C965AC4DDC72F9CF647C4343D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 1844 Parent PID: 6772

General

Start time:	17:59:40
Start date:	11/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install
Imagebase:	0x7ff6cb5e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: spkl.exe PID: 6448 Parent PID: 6772

General

Start time:	17:59:41
Start date:	11/01/2021
Path:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Imagebase:	0x400000
File size:	5197960 bytes
MD5 hash:	B3660FFBFB44E9C85287E9BF41126C41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000011.00000002.613741986.0000000000401000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000011.00000003.316681311.0000000004810000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 4848 Parent PID: 1844

General

Start time:	17:59:40
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1844 CREDAT:17410 /prefetch:2
Imagebase:	0x1150000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: spmm.exe PID: 5340 Parent PID: 6448

General

Start time:	17:59:59
Start date:	11/01/2021
Path:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1'
Imagebase:	0x400000
File size:	975496 bytes
MD5 hash:	E0C9D91F9EBD2F3974B42B4DDFC1F6DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000003.353294835.0000000003670000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: sime64.exe PID: 6400 Parent PID: 6448

General

Start time:	18:00:06
Start date:	11/01/2021
Path:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe
Wow64 process (32bit):	false
Commandline:	'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64
Imagebase:	0x400000
File size:	3255944 bytes
MD5 hash:	66D5C7CA9D59F4F6F51907CBC2C9A5E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: sfk_setup.exe PID: 6736 Parent PID: 5780 sfk_setup.exeCOMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.4%
Total number of Nodes:	1411
Total number of Limit Nodes:	51

Executed Functions

Function 004110C4, Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 160
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E004110C4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				long _t37;
				_Unknown_base(*)()* _t40;
				_Unknown_base(*)()* _t41;
				_Unknown_base(*)()* _t44;
				signed int _t49;
				void* _t105;
				void* _t106;
				intOrPtr _t122;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				struct HINSTANCE__* _t140;
				intOrPtr* _t142;
				intOrPtr _t144;
				intOrPtr _t145;

				_t144 = _t145;
				_t106 = 6;
				do {
					_push(0);
					_push(0);
					_t106 = _t106 - 1;
				} while (_t106 != 0);
				_push(_t106);
				_push(_t144);
				_push(0x41131e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t145;
				 *0x415b58 =  *0x415b58 - 1;
				if( *0x415b58 >= 0) {
					L19:
					_pop(_t122);
					 *[fs:eax] = _t122;
					_push(E00411325);
					return L00404C90( &_v56, 0xd);
				}
				_t140 = GetModuleHandleW(L"kernel32.dll");
				_t37 = GetVersion();
				_t105 = 0;
				if(_t37 != 0x600) {
					_t142 = GetProcAddress(_t140, "SetDefaultDllDirectories");
					if(_t142 != 0) {
						 *_t142(0x800);
						asm("sbb ebx, ebx");
						_t105 = 1;
					}
				}
				if(_t105 == 0) {
					_t44 = GetProcAddress(_t140, "SetDllDirectoryW");
					if(_t44 != 0) {
						 *_t44(0x411378);
					}
					E0040699C( &_v8);
					E00404C98(0x415b5c, _v8);
					if( *0x415b5c != 0) {
						_t49 =  *0x415b5c; // 0x0
						if(_t49 != 0) {
							_t49 =  *(_t49 - 4);
						}
						_t125 =  *0x415b5c; // 0x0
						if( *((short*)(_t125 + _t49 * 2 - 2)) != 0x5c) {
							E00404F98(0x415b5c, 0x411388);
						}
						_t126 =  *0x415b5c; // 0x0
						E00405058( &_v12, L"uxtheme.dll", _t126);
						E004069C8(_v12, _t105);
						_t127 =  *0x415b5c; // 0x0
						E00405058( &_v16, L"userenv.dll", _t127);
						E004069C8(_v16, _t105);
						_t128 =  *0x415b5c; // 0x0
						E00405058( &_v20, L"setupapi.dll", _t128);
						E004069C8(_v20, _t105);
						_t129 =  *0x415b5c; // 0x0
						E00405058( &_v24, L"apphelp.dll", _t129);
						E004069C8(_v24, _t105);
						_t130 =  *0x415b5c; // 0x0
						E00405058( &_v28, L"propsys.dll", _t130);
						E004069C8(_v28, _t105);
						_t131 =  *0x415b5c; // 0x0
						E00405058( &_v32, L"dwmapi.dll", _t131);
						E004069C8(_v32, _t105);
						_t132 =  *0x415b5c; // 0x0
						E00405058( &_v36, L"cryptbase.dll", _t132);
						E004069C8(_v36, _t105);
						_t133 =  *0x415b5c; // 0x0
						E00405058( &_v40, L"oleacc.dll", _t133);
						E004069C8(_v40, _t105);
						_t134 =  *0x415b5c; // 0x0
						E00405058( &_v44, L"version.dll", _t134);
						E004069C8(_v44, _t105);
						_t135 =  *0x415b5c; // 0x0
						E00405058( &_v48, L"profapi.dll", _t135);
						E004069C8(_v48, _t105);
						_t136 =  *0x415b5c; // 0x0
						E00405058( &_v52, L"comres.dll", _t136);
						E004069C8(_v52, _t105);
						_t137 =  *0x415b5c; // 0x0
						E00405058( &_v56, L"clbcatq.dll", _t137);
						E004069C8(_v56, _t105);
					}
				}
				_t40 = GetProcAddress(_t140, "SetSearchPathMode");
				if(_t40 != 0) {
					 *_t40(0x8001);
				}
				_t41 = GetProcAddress(_t140, "SetProcessDEPPolicy");
				if(_t41 != 0) {
					 *_t41(1); // executed
				}
				goto L19;
			}

0x004110c5
0x004110c7
0x004110cc
0x004110cc
0x004110ce
0x004110d0
0x004110d0
0x004110d3
0x004110d9
0x004110da
0x004110df
0x004110e2
0x004110e5
0x004110ec
0x00411303
0x00411305
0x00411308
0x0041130b
0x0041131d
0x0041131d
0x004110fc
0x004110fe
0x00411105
0x0041110b
0x00411118
0x0041111c
0x00411123
0x00411128
0x0041112a
0x0041112a
0x0041111c
0x0041112d
0x00411139
0x00411140
0x00411147
0x00411147
0x0041114c
0x00411159
0x00411165
0x0041116b
0x00411172
0x00411177
0x00411177
0x00411179
0x00411185
0x00411191
0x00411191
0x0041119e
0x004111a4
0x004111ac
0x004111b9
0x004111bf
0x004111c7
0x004111d4
0x004111da
0x004111e2
0x004111ef
0x004111f5
0x004111fd
0x0041120a
0x00411210
0x00411218
0x00411225
0x0041122b
0x00411233
0x00411240
0x00411246
0x0041124e
0x0041125b
0x00411261
0x00411269
0x00411276
0x0041127c
0x00411284
0x00411291
0x00411297
0x0041129f
0x004112ac
0x004112b2
0x004112ba
0x004112c7
0x004112cd
0x004112d5
0x004112d5
0x00411165
0x004112e0
0x004112e7
0x004112ee
0x004112ee
0x004112f6
0x004112fd
0x00411301
0x00411301
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,0041131E,?,?,?,?,00000005,00000000,00000000), ref: 004110F7
GetVersion.KERNEL32(kernel32.dll,00000000,0041131E,?,?,?,?,00000005,00000000,00000000), ref: 004110FE
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00411113
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00411139

Part of subcall function 004069C8: SetErrorMode.KERNEL32(00008000), ref: 004069D6
Part of subcall function 004069C8: LoadLibraryW.KERNEL32(00000000,00000000,00406A20,?,00000000,00406A3E,?,00008000), ref: 00406A05

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004112E0
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004112F6
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,0041131E,?,?,?,?,00000005,00000000,00000000), ref: 00411301

Strings

SetSearchPathMode, xrefs: 004112DA
SetProcessDEPPolicy, xrefs: 004112F0
apphelp.dll, xrefs: 004111EA
dwmapi.dll, xrefs: 00411220
kernel32.dll, xrefs: 004110F2
uxtheme.dll, xrefs: 00411199
comres.dll, xrefs: 004112A7
SetDefaultDllDirectories, xrefs: 0041110D
SetDllDirectoryW, xrefs: 00411133
cryptbase.dll, xrefs: 0041123B
userenv.dll, xrefs: 004111B4
oleacc.dll, xrefs: 00411256
propsys.dll, xrefs: 00411205
clbcatq.dll, xrefs: 004112C2
setupapi.dll, xrefs: 004111CF
version.dll, xrefs: 00411271
profapi.dll, xrefs: 0041128C

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-2388063882
Opcode ID: bcd86be6ede9f35533a8287881bcd1aec4990898a94ccdcf4b7cd9b6f9992ccf
Instruction ID: 5ba2602b3ae426752e8bc3b72944c024d579907c793108ba05fbf413d09d3323
Opcode Fuzzy Hash: bcd86be6ede9f35533a8287881bcd1aec4990898a94ccdcf4b7cd9b6f9992ccf
Instruction Fuzzy Hash: F051AE706105089BD704FBA5D8829EE73B6EF85304B60C13BEA11B76E5CB3CAD458B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE8, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00405DE8(WCHAR* __eax) {
				WCHAR* _v8;
				void* _v12;
				short _v18;
				short _v22;
				short _v32;
				int _v36;
				short _v558;
				long _t48;
				signed int _t58;
				long _t67;
				long _t69;
				long _t71;
				WCHAR* _t82;
				struct HINSTANCE__* _t89;
				struct HINSTANCE__* _t96;
				short* _t108;
				WCHAR* _t109;
				intOrPtr _t113;
				signed int _t115;
				signed int _t116;
				signed int _t118;
				signed int _t119;
				signed int _t121;
				signed int _t122;
				struct HINSTANCE__* _t124;
				void* _t127;
				void* _t129;
				intOrPtr _t130;
				long _t137;

				_t127 = _t129;
				_t130 = _t129 + 0xfffffdd4;
				_v8 = __eax;
				GetModuleFileNameW(0,  &_v558, 0x105);
				_v32 = 0;
				_t48 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t48 == 0) {
					L4:
					_push(_t127);
					_push(0x405f1c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_v36 = 0xa;
					E00405BEC( &_v558, 0x105);
					if(RegQueryValueExW(_v12,  &_v558, 0, 0,  &_v32,  &_v36) != 0) {
						_t137 = RegQueryValueExW(_v12, E00406110, 0, 0,  &_v32,  &_v36);
						if(_t137 != 0) {
							_v32 = 0;
						}
					}
					_t58 = _v36 >> 1;
					if(_t137 < 0) {
						asm("adc eax, 0x0");
					}
					 *((short*)(_t127 + _t58 * 2 - 0x1c)) = 0;
					_pop(_t113);
					 *[fs:eax] = _t113;
					_push(E00405F23);
					return RegCloseKey(_v12);
				} else {
					_t67 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t67 == 0) {
						goto L4;
					} else {
						_t69 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t69 == 0) {
							goto L4;
						} else {
							_t71 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
							if(_t71 != 0) {
								lstrcpynW( &_v558, _v8, 0x105);
								GetLocaleInfoW(GetThreadLocale(), 3,  &_v22, 5); // executed
								_t124 = 0;
								if(_v558 != 0 && (_v22 != 0 || _v32 != 0)) {
									_t108 = lstrlenW( &_v558) + _t80 +  &_v558;
									L16:
									if( *_t108 != 0x2e && _t108 !=  &_v558) {
										_t108 = _t108 - 2;
										goto L16;
									}
									_t82 =  &_v558;
									if(_t108 != _t82) {
										_t109 = _t108 + 2;
										if(_v32 != 0) {
											_t121 = _t109 - _t82;
											_t122 = _t121 >> 1;
											if(_t121 < 0) {
												asm("adc edx, 0x0");
											}
											lstrcpynW(_t109,  &_v32, 0x105 - _t122);
											_t124 = LoadLibraryExW( &_v558, 0, 2);
										}
										if(_t124 == 0 && _v22 != 0) {
											_t115 = _t109 -  &_v558;
											_t116 = _t115 >> 1;
											if(_t115 < 0) {
												asm("adc edx, 0x0");
											}
											lstrcpynW(_t109,  &_v22, 0x105 - _t116);
											_t89 = LoadLibraryExW( &_v558, 0, 2); // executed
											_t124 = _t89;
											if(_t124 == 0) {
												_v18 = 0;
												_t118 = _t109 -  &_v558;
												_t119 = _t118 >> 1;
												if(_t118 < 0) {
													asm("adc edx, 0x0");
												}
												lstrcpynW(_t109,  &_v22, 0x105 - _t119);
												_t96 = LoadLibraryExW( &_v558, 0, 2); // executed
												_t124 = _t96;
											}
										}
									}
								}
								return _t124;
							} else {
								goto L4;
							}
						}
					}
				}
			}

0x00405de9
0x00405deb
0x00405df3
0x00405e04
0x00405e09
0x00405e24
0x00405e2b
0x00405e8b
0x00405e8d
0x00405e8e
0x00405e93
0x00405e96
0x00405e99
0x00405eab
0x00405ece
0x00405eea
0x00405eec
0x00405eee
0x00405eee
0x00405eec
0x00405ef7
0x00405ef9
0x00405efb
0x00405efb
0x00405efe
0x00405f07
0x00405f0a
0x00405f0d
0x00405f1b
0x00405e2d
0x00405e42
0x00405e49
0x00000000
0x00405e4b
0x00405e60
0x00405e67
0x00000000
0x00405e69
0x00405e7e
0x00405e85
0x00405f33
0x00405f46
0x00405f4b
0x00405f55
0x00405f83
0x00405f8a
0x00405f8e
0x00405f87
0x00000000
0x00405f87
0x00405f9a
0x00405fa2
0x00405fa8
0x00405fb0
0x00405fb4
0x00405fb6
0x00405fb8
0x00405fba
0x00405fba
0x00405fca
0x00405fdf
0x00405fdf
0x00405fe3
0x00405ff4
0x00405ff6
0x00405ff8
0x00405ffa
0x00405ffa
0x0040600a
0x0040601a
0x0040601f
0x00406023
0x00406025
0x00406033
0x00406035
0x00406037
0x00406039
0x00406039
0x00406049
0x00406059
0x0040605e
0x0040605e
0x00406023
0x00405fe3
0x00405fa2
0x00406067
0x00000000
0x00000000
0x00000000
0x00405e85
0x00405e67
0x00405e49

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 00405E04
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00405E24
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00405E42
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 00405E60
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00405E7E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F1C,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 00405EC7
RegQueryValueExW.ADVAPI32(?,00406110,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F1C,?,80000001), ref: 00405EE5
RegCloseKey.ADVAPI32(?,00405F23,00000000,?,?,00000000,00405F1C,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F16
lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 00405F33
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405F40
GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405F46
lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405F74
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405FCA
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405FDA
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040600A
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040601A
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406049

Strings

Software\Borland\Delphi\Locales, xrefs: 00405E74
Software\Borland\Locales, xrefs: 00405E56
Software\CodeGear\Locales, xrefs: 00405E1A, 00405E38

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Openlstrcpyn$LibraryLoadLocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 3838733197-345420546
Opcode ID: ed19aa05aec1765680b8a5727bfaec113ff10cf714bcfc3f630a7a3f4138bf86
Instruction ID: 5f6b4038d93197cc4a444e8185523a96e657e7a92dffb1bb2a9d05fafe77d5e4
Opcode Fuzzy Hash: ed19aa05aec1765680b8a5727bfaec113ff10cf714bcfc3f630a7a3f4138bf86
Instruction Fuzzy Hash: 30615671A406197AEB21DAA5CC46FEF72BCDB0C744F404076BA01FA5C1E6BC9E448B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405F23, Relevance: 15.1, APIs: 10, Instructions: 108
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00405F23() {
				void* _t32;
				struct HINSTANCE__* _t39;
				struct HINSTANCE__* _t46;
				short* _t57;
				WCHAR* _t58;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t66;
				signed int _t67;
				struct HINSTANCE__* _t68;
				void* _t70;

				lstrcpynW(_t70 - 0x22a,  *(_t70 - 4), 0x105);
				GetLocaleInfoW(GetThreadLocale(), 3, _t70 - 0x12, 5); // executed
				_t68 = 0;
				if( *(_t70 - 0x22a) == 0 ||  *(_t70 - 0x12) == 0 &&  *(_t70 - 0x1c) == 0) {
					L20:
					return _t68;
				} else {
					_t57 = lstrlenW(_t70 - 0x22a) + _t30 + _t70 - 0x22a;
					L5:
					if( *_t57 != 0x2e && _t57 != _t70 - 0x22a) {
						_t57 = _t57 - 2;
						goto L5;
					}
					_t32 = _t70 - 0x22a;
					if(_t57 != _t32) {
						_t58 = _t57 + 2;
						if( *(_t70 - 0x1c) != 0) {
							_t66 = _t58 - _t32;
							_t67 = _t66 >> 1;
							if(_t66 < 0) {
								asm("adc edx, 0x0");
							}
							lstrcpynW(_t58, _t70 - 0x1c, 0x105 - _t67);
							_t68 = LoadLibraryExW(_t70 - 0x22a, 0, 2);
						}
						if(_t68 == 0 &&  *(_t70 - 0x12) != 0) {
							_t60 = _t58 - _t70 - 0x22a;
							_t61 = _t60 >> 1;
							if(_t60 < 0) {
								asm("adc edx, 0x0");
							}
							lstrcpynW(_t58, _t70 - 0x12, 0x105 - _t61);
							_t39 = LoadLibraryExW(_t70 - 0x22a, 0, 2); // executed
							_t68 = _t39;
							if(_t68 == 0) {
								 *((short*)(_t70 - 0xe)) = 0;
								_t63 = _t58 - _t70 - 0x22a;
								_t64 = _t63 >> 1;
								if(_t63 < 0) {
									asm("adc edx, 0x0");
								}
								lstrcpynW(_t58, _t70 - 0x12, 0x105 - _t64);
								_t46 = LoadLibraryExW(_t70 - 0x22a, 0, 2); // executed
								_t68 = _t46;
							}
						}
					}
					goto L20;
				}
			}

0x00405f33
0x00405f46
0x00405f4b
0x00405f55
0x00406060
0x00406067
0x00405f6d
0x00405f83
0x00405f8a
0x00405f8e
0x00405f87
0x00000000
0x00405f87
0x00405f9a
0x00405fa2
0x00405fa8
0x00405fb0
0x00405fb4
0x00405fb6
0x00405fb8
0x00405fba
0x00405fba
0x00405fca
0x00405fdf
0x00405fdf
0x00405fe3
0x00405ff4
0x00405ff6
0x00405ff8
0x00405ffa
0x00405ffa
0x0040600a
0x0040601a
0x0040601f
0x00406023
0x00406025
0x00406033
0x00406035
0x00406037
0x00406039
0x00406039
0x00406049
0x00406059
0x0040605e
0x0040605e
0x00406023
0x00405fe3
0x00000000
0x00405fa2

APIs

lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 00405F33
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405F40
GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405F46
lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405F74
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405FCA
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405FDA
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040600A
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040601A
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406049
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?), ref: 00406059

Strings

Software\Borland\Delphi\Locales, xrefs: 00405E74
Software\Borland\Locales, xrefs: 00405E56
Software\CodeGear\Locales, xrefs: 00405E1A, 00405E38

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 1599918012-345420546
Opcode ID: f347cc9f3c477e58c1cd365ffa1779204afb21583e55c99ec7d7252987469007
Instruction ID: 4452d95ce859696c23b6bd0f50a078a4c31ee5800544849d8d1c420259f7e676
Opcode Fuzzy Hash: f347cc9f3c477e58c1cd365ffa1779204afb21583e55c99ec7d7252987469007
Instruction Fuzzy Hash: D3318232E402196BDB21DAA5CC49BEB62BC9B0C344F444076B601F72C4F6BC9E448B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406458, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406458() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040645c
0x00406468

APIs

GetSystemInfo.KERNEL32 ref: 0040645C

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9ce24fec29c07a0e080f9dc895799ad5acc0e028318248ff73c69df84a526f2f
Instruction ID: 0cc09a7703e4d468e824d7ecf1c2981a2773579081892800ab72b071deb089ba
Opcode Fuzzy Hash: 9ce24fec29c07a0e080f9dc895799ad5acc0e028318248ff73c69df84a526f2f
Instruction Fuzzy Hash: C4A012204084010AC508A7194C8380F31841945614FC80324745CB93D2E619856403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00411C96, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00411C96(long __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t19;
				intOrPtr _t21;
				struct HWND__* _t23;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t38;
				intOrPtr _t41;
				int _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				struct HWND__* _t48;
				intOrPtr _t49;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t61;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_t55 = __ecx;
				0x1840();
				SetLastError(__eax);
				E0040E770(0x69, __ebx, _t55, __esi, _t75);
				E0040404C();
				_t19 =  *0x41865c; // 0x0
				 *0x41865c = 0;
				E00403894(_t19);
				_t21 =  *0x415b48; // 0x400000
				_t23 = E004068EC(0, L"STATIC", 0, _t21, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x412af0 = _t23;
				_t24 =  *0x412af0; // 0x2a0068
				 *0x418654 = SetWindowLongW(_t24, 0xfffffffc, E0040EAC4);
				_t27 =  *0x412af0; // 0x2a0068
				 *(_t74 - 0x58) = _t27;
				 *((char*)(_t74 - 0x54)) = 0;
				_t28 =  *0x418664; // 0x42dcb8
				_t4 = _t28 + 0x20; // 0x1675e9f
				 *((intOrPtr*)(_t74 - 0x50)) =  *_t4;
				 *((char*)(_t74 - 0x4c)) = 0;
				_t30 =  *0x418664; // 0x42dcb8
				_t7 = _t30 + 0x24; // 0x25200
				 *((intOrPtr*)(_t74 - 0x48)) =  *_t7;
				 *((char*)(_t74 - 0x44)) = 0;
				E004082D4(L"/SL5=\"$%x,%d,%d,", 2, _t74 - 0x58, _t74 - 0x40);
				_push( *((intOrPtr*)(_t74 - 0x40)));
				_push( *0x418658);
				_push(0x411f5c);
				E0040B84C(_t74 - 0x5c, __ebx, __esi, _t75);
				_push( *((intOrPtr*)(_t74 - 0x5c)));
				E0040513C(_t74 - 0x3c, 4, __edi);
				_t38 =  *0x418670; // 0x0, executed
				E0040EB50(_t38, __ebx, 0x412aec,  *((intOrPtr*)(_t74 - 0x3c)), __edi, __esi, __fp0); // executed
				if( *0x412ae8 != 0xffffffff) {
					_t52 =  *0x412ae8; // 0x0
					E0040EA2C(_t52, 0x412aec);
				}
				_pop(_t69);
				 *[fs:eax] = _t69;
				_push(E00411E30);
				_t41 =  *0x41865c; // 0x0
				_t42 = E00403894(_t41);
				if( *0x418670 != 0) {
					_t71 =  *0x418670; // 0x0
					_t42 = E0040E5DC(0, _t71, 0xfa, 0x32); // executed
				}
				if( *0x418668 != 0) {
					_t49 =  *0x418668; // 0x0
					_t42 = RemoveDirectoryW(E00404D24(_t49)); // executed
				}
				if( *0x412af0 != 0) {
					_t48 =  *0x412af0; // 0x2a0068
					_t42 = DestroyWindow(_t48); // executed
				}
				if( *0x41864c != 0) {
					_t43 =  *0x41864c; // 0x0
					_t61 =  *0x418650; // 0xc
					_t70 =  *0x40dcc4; // 0x40dcc8
					E00405548(_t43, _t61, _t70);
					_t45 =  *0x41864c; // 0x0
					E00402E20(_t45);
					 *0x41864c = 0;
					return 0;
				}
				return _t42;
			}

0x00411c96
0x00411c96
0x00411c96
0x00411c9e
0x00411ca5
0x00411caa
0x00411caf
0x00411cb6
0x00411cbc
0x00411ccf
0x00411ce3
0x00411ce8
0x00411cf4
0x00411cff
0x00411d08
0x00411d0d
0x00411d10
0x00411d14
0x00411d19
0x00411d1c
0x00411d1f
0x00411d23
0x00411d28
0x00411d2b
0x00411d2e
0x00411d3f
0x00411d44
0x00411d47
0x00411d4d
0x00411d55
0x00411d5a
0x00411d65
0x00411d72
0x00411d77
0x00411d83
0x00411d85
0x00411d8a
0x00411d8a
0x00411d91
0x00411d94
0x00411d97
0x00411d9c
0x00411da1
0x00411dad
0x00411dbb
0x00411dc3
0x00411dc3
0x00411dcf
0x00411dd1
0x00411ddc
0x00411ddc
0x00411de8
0x00411dea
0x00411df0
0x00411df0
0x00411dfc
0x00411dfe
0x00411e03
0x00411e09
0x00411e0f
0x00411e14
0x00411e19
0x00411e20
0x00000000
0x00411e20
0x00411e25

APIs

SetLastError.KERNEL32(00000000), ref: 00411C9E

Part of subcall function 0040E770: GetLastError.KERNEL32(00000000,0040E817,?,?,00000000), ref: 0040E793

Part of subcall function 004068EC: CreateWindowExW.USER32 ref: 0040692B

SetWindowLongW.USER32 ref: 00411CFA

Part of subcall function 0040B84C: GetCommandLineW.KERNEL32(00000000,0040B88E,?,?,00000000,?,00411D5A,00411F5C,?), ref: 0040B862

Part of subcall function 0040EB50: CreateProcessW.KERNEL32 ref: 0040EBC0
Part of subcall function 0040EB50: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040EC50,00000000,0040EC40,00000000), ref: 0040EBD4
Part of subcall function 0040EB50: MsgWaitForMultipleObjects.USER32 ref: 0040EBED
Part of subcall function 0040EB50: GetExitCodeProcess.KERNEL32 ref: 0040EC01
Part of subcall function 0040EB50: CloseHandle.KERNEL32(?,?,00412AEC,00000001,?,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040EC0A

RemoveDirectoryW.KERNEL32(00000000,00411E30,?,?,?,?,?,?,?,?,?,?,002A0068,000000FC,0040EAC4,00000000), ref: 00411DDC
DestroyWindow.USER32(002A0068,00411E30,?,?,?,?,?,?,?,?,?,?,002A0068,000000FC,0040EAC4,00000000), ref: 00411DF0

Strings

/SL5="$%x,%d,%d,, xrefs: 00411D3A
InnoSetupLdrWindow, xrefs: 00411CD7
STATIC, xrefs: 00411CDC

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$CloseCreateErrorHandleLastProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 2016261911-3001827809
Opcode ID: 3d5eb3ba2af2cb31e641145fdf4efdddbec66f7e0ffecaf89dfd04d9d16d1a38
Instruction ID: b533c9448902221149ce9476a49e0a73e805eb15627331010c16b366fa4b9f1f
Opcode Fuzzy Hash: 3d5eb3ba2af2cb31e641145fdf4efdddbec66f7e0ffecaf89dfd04d9d16d1a38
Instruction Fuzzy Hash: B6411570A402409FDB10EBA9ED45BDE77E5AB48308F10C53EE601AB2F5DB789852CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401C7C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00401C7C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x41304d; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E0040165C();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x415ac4 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4138d5;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0xc;
					 *_t14 =  *(__edx + 0xc) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 8);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0xc) = __eax;
						} else {
							__eax =  *(__edx + 0x14);
							__ecx =  *(__edx + 4);
							 *(__eax + 4) = __ecx;
							 *(__ecx + 0x14) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x10)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x10)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x41304d; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x413a34], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4138d5;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x413a34], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004014D8(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004014D8(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x413a3c - 0x13ffe0;
							if( *0x413a3c != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00401578(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x413a3c = 0x13ffe0;
								 *0x413a38 = _t82;
								 *0x413a34 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x413a34 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00401518(_t106, _t88, _t81);
							 *0x413a34 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 8) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 4);
							 *(__edx + 0x14) = __ebx;
							 *(__edx + 4) = __ecx;
							 *(__ecx + 0x14) = __edx;
							 *(__ebx + 4) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x00401c7c
0x00401c7c
0x00401c85
0x00401c8b
0x00401d74
0x00401d77
0x00401e64
0x00401e65
0x00401e68
0x00401708
0x0040170a
0x0040170c
0x00401711
0x00401714
0x00401719
0x0040171d
0x00401723
0x00401727
0x0040172d
0x00401749
0x0040174d
0x00401750
0x00401750
0x00401752
0x0040175a
0x00401767
0x0040176c
0x0040176e
0x00401770
0x00401773
0x00401773
0x00401775
0x00401779
0x0040177b
0x0040177d
0x0040177f
0x00000000
0x0040177f
0x00000000
0x0040177b
0x0040172f
0x00401737
0x0040173e
0x00401744
0x00401740
0x00401740
0x00401740
0x0040173e
0x00401783
0x00401785
0x0040178e
0x00401797
0x00401797
0x0040179a
0x004017aa
0x00401e6e
0x00401e73
0x00401e73
0x00000000
0x00000000
0x00000000
0x00401c91
0x00401c91
0x00401c93
0x00401c95
0x00401cf8
0x00401cf8
0x00401cfd
0x00401d01
0x00000000
0x00000000
0x00401d03
0x00401d05
0x00401d0c
0x00000000
0x00401d0e
0x00401d12
0x00401d17
0x00401d18
0x00401d19
0x00401d1e
0x00401d22
0x00401d2c
0x00401d31
0x00401d32
0x00000000
0x00401d32
0x00401d22
0x00000000
0x00401d0c
0x00401cf8
0x00401c97
0x00401c97
0x00401c97
0x00401c97
0x00401c9b
0x00401c9e
0x00401ccc
0x00401cce
0x00401ce3
0x00401ce3
0x00401cd0
0x00401cd0
0x00401cd3
0x00401cd6
0x00401cd9
0x00401cdc
0x00401cde
0x00401ce1
0x00000000
0x00000000
0x00401ce1
0x00401ce6
0x00401ce8
0x00401cea
0x00401ced
0x00401d7d
0x00401d80
0x00401d82
0x00401d84
0x00401d85
0x00401d87
0x00401d38
0x00401d38
0x00401d3d
0x00401d45
0x00000000
0x00000000
0x00401d47
0x00401d49
0x00401d50
0x00000000
0x00401d52
0x00401d54
0x00401d59
0x00401d5e
0x00401d66
0x00401d6a
0x00000000
0x00401d6a
0x00401d66
0x00000000
0x00401d50
0x00401d38
0x00401d89
0x00401d89
0x00401d91
0x00401d95
0x00401dcc
0x00401dcf
0x00401dd2
0x00401dd4
0x00401dda
0x00401ddc
0x00401ddc
0x00401d97
0x00401d97
0x00401d97
0x00401d9a
0x00401d9a
0x00401d9e
0x00401da2
0x00401de4
0x00401de7
0x00401de9
0x00401deb
0x00401df1
0x00401df5
0x00401df5
0x00401df1
0x00401da4
0x00401daa
0x00401dfc
0x00401e06
0x00401e34
0x00401e3a
0x00401e3f
0x00401e46
0x00401e50
0x00401e56
0x00401e5d
0x00401e61
0x00401e08
0x00401e08
0x00401e0b
0x00401e0d
0x00401e10
0x00401e13
0x00401e15
0x00401e24
0x00401e29
0x00401e2c
0x00401e30
0x00401e30
0x00401dac
0x00401daf
0x00401db2
0x00401dba
0x00401dbf
0x00401dc6
0x00401dca
0x00401dca
0x00401ca0
0x00401ca0
0x00401ca2
0x00401ca8
0x00401cab
0x00401cb4
0x00401cb7
0x00401cba
0x00401cbd
0x00401cc0
0x00401cc3
0x00401cc6
0x00401cc6
0x00401cc8
0x00401cc9
0x00401cad
0x00401cad
0x00401cad
0x00401caf
0x00401cb1
0x00401cb2
0x00401cb2
0x00401cab
0x00401c9e

APIs

Sleep.KERNEL32(00000000,?,?,00000000,004018EE), ref: 00401D12
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,004018EE), ref: 00401D2C

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ecfed8f1ed0807f6ccd603253e02b2531eae0721a97c3b398313b2851d848f78
Instruction ID: 467b249c574562f1bac75438b18abd5afc4c200c530fec1930f0d5df439eec02
Opcode Fuzzy Hash: ecfed8f1ed0807f6ccd603253e02b2531eae0721a97c3b398313b2851d848f78
Instruction Fuzzy Hash: 9B71E1316452408BE715DF29CA84B66BBD4AF85314F18827FE848AB3F2D778D8418799

Uniqueness

Uniqueness Score: -1.00%

Function 00411C7F, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00411C7F(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				intOrPtr _t19;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x41865c; // 0x0
				 *0x41865c = 0;
				E00403894(_t17);
				_t19 =  *0x415b48; // 0x400000
				_t21 = E004068EC(0, L"STATIC", 0, _t19, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x412af0 = _t21;
				_t22 =  *0x412af0; // 0x2a0068
				 *0x418654 = SetWindowLongW(_t22, 0xfffffffc, E0040EAC4);
				_t25 =  *0x412af0; // 0x2a0068
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x418664; // 0x42dcb8
				_t4 = _t26 + 0x20; // 0x1675e9f
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x418664; // 0x42dcb8
				_t7 = _t28 + 0x24; // 0x25200
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E004082D4(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x418658);
				_push(0x411f5c);
				E0040B84C(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E0040513C(_t73 - 0x3c, 4, __edi);
				_t36 =  *0x418670; // 0x0, executed
				E0040EB50(_t36, __ebx, 0x412aec,  *((intOrPtr*)(_t73 - 0x3c)), __edi, __esi, __fp0); // executed
				if( *0x412ae8 != 0xffffffff) {
					_t50 =  *0x412ae8; // 0x0
					E0040EA2C(_t50, 0x412aec);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00411E30);
				_t39 =  *0x41865c; // 0x0
				_t40 = E00403894(_t39);
				if( *0x418670 != 0) {
					_t70 =  *0x418670; // 0x0
					_t40 = E0040E5DC(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x418668 != 0) {
					_t47 =  *0x418668; // 0x0
					_t40 = RemoveDirectoryW(E00404D24(_t47)); // executed
				}
				if( *0x412af0 != 0) {
					_t46 =  *0x412af0; // 0x2a0068
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x41864c != 0) {
					_t41 =  *0x41864c; // 0x0
					_t60 =  *0x418650; // 0xc
					_t69 =  *0x40dcc4; // 0x40dcc8
					E00405548(_t41, _t60, _t69);
					_t43 =  *0x41864c; // 0x0
					E00402E20(_t43);
					 *0x41864c = 0;
					return 0;
				}
				return _t40;
			}

0x00411c7f
0x00411c81
0x00411c84
0x00411caf
0x00411cb6
0x00411cbc
0x00411ccf
0x00411ce3
0x00411ce8
0x00411cf4
0x00411cff
0x00411d08
0x00411d0d
0x00411d10
0x00411d14
0x00411d19
0x00411d1c
0x00411d1f
0x00411d23
0x00411d28
0x00411d2b
0x00411d2e
0x00411d3f
0x00411d44
0x00411d47
0x00411d4d
0x00411d55
0x00411d5a
0x00411d65
0x00411d72
0x00411d77
0x00411d83
0x00411d85
0x00411d8a
0x00411d8a
0x00411d91
0x00411d94
0x00411d97
0x00411d9c
0x00411da1
0x00411dad
0x00411dbb
0x00411dc3
0x00411dc3
0x00411dcf
0x00411dd1
0x00411ddc
0x00411ddc
0x00411de8
0x00411dea
0x00411df0
0x00411df0
0x00411dfc
0x00411dfe
0x00411e03
0x00411e09
0x00411e0f
0x00411e14
0x00411e19
0x00411e20
0x00000000
0x00411e20
0x00411e25

APIs

Part of subcall function 004068EC: CreateWindowExW.USER32 ref: 0040692B

SetWindowLongW.USER32 ref: 00411CFA

Part of subcall function 0040B84C: GetCommandLineW.KERNEL32(00000000,0040B88E,?,?,00000000,?,00411D5A,00411F5C,?), ref: 0040B862

Part of subcall function 0040EB50: CreateProcessW.KERNEL32 ref: 0040EBC0
Part of subcall function 0040EB50: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040EC50,00000000,0040EC40,00000000), ref: 0040EBD4
Part of subcall function 0040EB50: MsgWaitForMultipleObjects.USER32 ref: 0040EBED
Part of subcall function 0040EB50: GetExitCodeProcess.KERNEL32 ref: 0040EC01
Part of subcall function 0040EB50: CloseHandle.KERNEL32(?,?,00412AEC,00000001,?,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040EC0A

RemoveDirectoryW.KERNEL32(00000000,00411E30,?,?,?,?,?,?,?,?,?,?,002A0068,000000FC,0040EAC4,00000000), ref: 00411DDC
DestroyWindow.USER32(002A0068,00411E30,?,?,?,?,?,?,?,?,?,?,002A0068,000000FC,0040EAC4,00000000), ref: 00411DF0

Strings

/SL5="$%x,%d,%d,, xrefs: 00411D3A
InnoSetupLdrWindow, xrefs: 00411CD7
STATIC, xrefs: 00411CDC

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: d8b040ad269f919bf68d133973d5a8c0d91c4dcc8319d04100ed1b2578fb33bc
Instruction ID: bdf286289dcee5fb5ab6c9f927e3d040cb7b6d6cdaac718be8b3363f17973679
Opcode Fuzzy Hash: d8b040ad269f919bf68d133973d5a8c0d91c4dcc8319d04100ed1b2578fb33bc
Instruction Fuzzy Hash: 94413670A002409FD710EBA9ED45BD977E5EB48308F10C53EE501AB2F5DB78A842CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040EB50(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x40ec25);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x40ec40);
				_push(__eax);
				_push(0x40ec50);
				_push(__edx);
				E0040513C( &_v8, 4, __ecx);
				E00403250( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E00404D24(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E0040E770(0x6a, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E0040EB24();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0xff) == 1);
				E0040EB24();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92); // executed
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E0040EC2C);
				return L00404C88( &_v8);
			}

0x0040eb5b
0x0040eb5e
0x0040eb60
0x0040eb62
0x0040eb66
0x0040eb67
0x0040eb6c
0x0040eb6f
0x0040eb72
0x0040eb77
0x0040eb78
0x0040eb7d
0x0040eb86
0x0040eb95
0x0040eb9a
0x0040ebc0
0x0040ebc5
0x0040ebc7
0x0040ebcb
0x0040ebcb
0x0040ebd4
0x0040ebd9
0x0040ebd9
0x0040ebf2
0x0040ebf7
0x0040ec01
0x0040ec0a
0x0040ec11
0x0040ec14
0x0040ec17
0x0040ec24

APIs

CreateProcessW.KERNEL32 ref: 0040EBC0
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040EC50,00000000,0040EC40,00000000), ref: 0040EBD4
MsgWaitForMultipleObjects.USER32 ref: 0040EBED
GetExitCodeProcess.KERNEL32 ref: 0040EC01
CloseHandle.KERNEL32(?,?,00412AEC,00000001,?,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040EC0A

Part of subcall function 0040E770: GetLastError.KERNEL32(00000000,0040E817,?,?,00000000), ref: 0040E793

Strings

D, xrefs: 0040EB9A

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: a6ff89ed3a7af871bd8892619289be0b7db995d6aafe0c9dcf50d58a480d1a77
Instruction ID: add36b46b0d196150248f45db4bca9ee2f109f5487918607dc2b216ef53e974e
Opcode Fuzzy Hash: a6ff89ed3a7af871bd8892619289be0b7db995d6aafe0c9dcf50d58a480d1a77
Instruction Fuzzy Hash: 101172716042086AE700EBE6CD42F9FB7ACDF48714F51083BB605F71C1DAB9AD108669

Uniqueness

Uniqueness Score: -1.00%

Function 00411648, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00411648(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x411712);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x418518 =  *0x418518 - 1;
				if( *0x418518 < 0) {
					 *0x41851c = E00406728(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x418520 = E00406728(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x41851c == 0 ||  *0x418520 == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x418524 = _t16;
					E0040B9D0( &_v12);
					E0040B2E0(_v12,  &_v8);
					E00404F98( &_v8, L"shell32.dll");
					E0040AC84(_v8, _t27, 0x8000); // executed
					E0040BF84(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(E00411719);
				return L00404C90( &_v16, 3);
			}

0x00411648
0x0041164b
0x0041164d
0x0041164f
0x00411653
0x00411654
0x00411659
0x0041165c
0x0041165f
0x00411666
0x00411681
0x0041169b
0x004116a7
0x004116b2
0x004116b6
0x004116b6
0x004116b6
0x004116b8
0x004116c0
0x004116cb
0x004116d8
0x004116e5
0x004116f2
0x004116f2
0x004116f9
0x004116fc
0x004116ff
0x00411711

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00411712,?,00000000,00000000,00000000), ref: 00411676

Part of subcall function 00406728: GetProcAddress.KERNEL32(?,0040BDAE), ref: 0040674C

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00411712,?,00000000,00000000,00000000), ref: 00411690

Part of subcall function 00406728: GetProcAddress.KERNEL32(?,00000000), ref: 0040676E

Strings

Wow64DisableWow64FsRedirection, xrefs: 0041166C
shell32.dll, xrefs: 004116D3
Wow64RevertWow64FsRedirection, xrefs: 00411686
kernel32.dll, xrefs: 00411671, 0041168B

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 2f0755cccddb31bbdbba5d8af8f80745d1cb5ed8f8d4bb57e18a718c238bbcdd
Instruction ID: d7528d1017f4a84dae1ce8805adde9276a30cd3593f776e10bb963afcfd3ed6d
Opcode Fuzzy Hash: 2f0755cccddb31bbdbba5d8af8f80745d1cb5ed8f8d4bb57e18a718c238bbcdd
Instruction Fuzzy Hash: E211C130600209BFD701EBA2D842BCD37A9E745748F61843BF600A73E1DB7D5A858A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004018F8, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E004018F8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t129 =  *0x41304d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E0040165C();
								_t99 =  *0x415acc; // 0x415ac8
								 *_t147 = 0x415ac8;
								 *0x415acc = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x415ac4 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x413a34], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4138d5;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x413a34], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t141 = _t125 - 0xb30;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x413a44 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x413a40;
							if((0xfffffffe << _t132 &  *0x413a40) == 0) {
								_t133 =  *0x413a3c; // 0xb4b50
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E004015E4(_t125);
								} else {
									_t110 =  *0x413a38; // 0x2534b60
									_t109 = _t110 - _t125;
									 *0x413a38 = _t109;
									 *0x413a3c = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x413a34 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x413ac4 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x413a44 + _t142 * 4;
								 *_t80 =  *(0x413a44 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x413a40], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00401518(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							 *(_t159 - 4) = _t125 + 2;
							 *0x413a34 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					__eax =  *(__edx + 0x4138dc) & 0x000000ff;
					__ebx = 0x41205c + ( *(__edx + 0x4138dc) & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4138d5;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 4);
					__eax =  *(__edx + 8);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x10);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0xc);
						if(__eax >  *(__ebx + 0xc)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x41304d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x413a34], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4138d5;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x413a34], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x413a40;
							__eflags =  *(__ebx + 1) &  *0x413a40;
							if(( *(__ebx + 1) &  *0x413a40) == 0) {
								__ecx =  *(__ebx + 0x18) & 0x0000ffff;
								__edi =  *0x413a3c; // 0xb4b50
								__eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff);
								if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) {
									__eax =  *(__ebx + 0x1a) & 0x0000ffff;
									__edi = __eax;
									__eax = E004015E4(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x413a34 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x413a38; // 0x2534b60
									__ecx =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x413a3c =  *0x413a3c - __edi;
									 *0x413a38 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x413a44 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x413a44 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x413ac4 + ( *(0x413a44 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x413a44 + __eax * 4;
									 *_t38 =  *(0x413a44 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x413a40], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00401518(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0xb4b56
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x413a34 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 8)) = 0;
								 *((intOrPtr*)(__esi + 0xc)) = 1;
								 *(__ebx + 0x10) = __esi;
								_t61 = __esi + 0x20; // 0x2534b80
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 8) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0xc) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0xc;
							 *_t19 =  *(__edx + 0xc) + 1;
							__eflags =  *_t19;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0xc) =  *(__edx + 0xc) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 8) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 4);
							 *(__ecx + 0x14) = __ebx;
							 *(__ebx + 4) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00401904
0x0040190a
0x00401b58
0x00401b5d
0x00401c70
0x00401c71
0x00401c73
0x004016a4
0x004016a8
0x004016b4
0x004016c4
0x004016c9
0x004016cd
0x004016cf
0x004016d1
0x004016d7
0x004016da
0x004016df
0x004016e4
0x004016ea
0x004016f0
0x004016f3
0x004016f5
0x004016fc
0x004016fc
0x00401705
0x00401c79
0x00401c79
0x00401c7b
0x00401c7b
0x00401b63
0x00401b6f
0x00401b72
0x00401b74
0x00401b1c
0x00401b21
0x00401b29
0x00000000
0x00000000
0x00401b2b
0x00401b2d
0x00401b34
0x00000000
0x00401b36
0x00401b38
0x00401b42
0x00401b4a
0x00401b4e
0x00000000
0x00401b4e
0x00401b4a
0x00000000
0x00401b34
0x00401b1c
0x00401b76
0x00401b76
0x00401b7e
0x00401b81
0x00401b8b
0x00401b8b
0x00401b92
0x00401ba5
0x00401ba9
0x00401baf
0x00401bc8
0x00401bce
0x00401bce
0x00401bd0
0x00401bee
0x00401bd2
0x00401bd2
0x00401bd7
0x00401bd9
0x00401bde
0x00401be7
0x00401be7
0x00401bf3
0x00401bfb
0x00401bb1
0x00401bb1
0x00401bbb
0x00401bc3
0x00000000
0x00401bc3
0x00401b94
0x00401b97
0x00401b9a
0x00401bfc
0x00401bfc
0x00401bfd
0x00401bfe
0x00401c05
0x00401c08
0x00401c0b
0x00401c0e
0x00401c10
0x00401c12
0x00401c19
0x00401c1b
0x00401c1b
0x00401c1b
0x00401c22
0x00401c24
0x00401c24
0x00401c22
0x00401c30
0x00401c35
0x00401c35
0x00401c37
0x00401c58
0x00401c58
0x00401c58
0x00401c39
0x00401c39
0x00401c3f
0x00401c42
0x00401c46
0x00401c4c
0x00401c4e
0x00401c4e
0x00401c4c
0x00401c60
0x00401c63
0x00401c6f
0x00401c6f
0x00401b92
0x00401910
0x00401910
0x00401912
0x00401919
0x00401920
0x00401978
0x00401978
0x0040197d
0x00401981
0x00000000
0x00000000
0x00401983
0x00401983
0x00401986
0x0040198b
0x0040198f
0x00401991
0x00401991
0x00401994
0x00401999
0x0040199d
0x0040199f
0x004019a2
0x004019a4
0x004019ab
0x00000000
0x004019ad
0x004019af
0x004019b4
0x004019b9
0x004019bd
0x004019c5
0x00000000
0x004019c5
0x004019bd
0x004019ab
0x0040199d
0x00000000
0x0040198f
0x00401978
0x00401922
0x00401922
0x00401925
0x00401928
0x0040192d
0x0040192f
0x00401948
0x0040194b
0x0040194f
0x00401951
0x00401954
0x004019cc
0x004019cd
0x004019ce
0x004019d5
0x004019d7
0x004019d7
0x004019dc
0x004019e4
0x00000000
0x00000000
0x004019e6
0x004019e8
0x004019ef
0x00000000
0x004019f1
0x004019f3
0x004019f8
0x004019fd
0x00401a05
0x00401a09
0x00000000
0x00401a09
0x00401a05
0x00000000
0x004019ef
0x004019d7
0x00401a10
0x00401a14
0x00401a14
0x00401a1a
0x00401a8c
0x00401a90
0x00401a96
0x00401a98
0x00401ac0
0x00401ac4
0x00401ac6
0x00401acb
0x00401acd
0x00401acf
0x00000000
0x00401ad1
0x00401ad1
0x00401ad6
0x00401ad8
0x00401ad9
0x00401ada
0x00401adb
0x00401adb
0x00401a9a
0x00401a9a
0x00401aa0
0x00401aa4
0x00401aaa
0x00401aac
0x00401aae
0x00401aae
0x00401ab0
0x00401ab2
0x00401ab8
0x00000000
0x00401ab8
0x00401a1c
0x00401a1c
0x00401a1f
0x00401a26
0x00401a2d
0x00401a30
0x00401a33
0x00401a3a
0x00401a3d
0x00401a40
0x00401a43
0x00401a45
0x00401a47
0x00401a49
0x00401a4e
0x00401a50
0x00401a50
0x00401a50
0x00401a57
0x00401a59
0x00401a59
0x00401a57
0x00401a60
0x00401a65
0x00401a68
0x00401a6e
0x00401adc
0x00401adc
0x00401adc
0x00401a70
0x00401a70
0x00401a72
0x00401a76
0x00401a78
0x00401a7b
0x00401a7e
0x00401a81
0x00401a85
0x00401a85
0x00401ae1
0x00401ae1
0x00401ae1
0x00401ae4
0x00401ae7
0x00401ae9
0x00401aee
0x00401af0
0x00401af3
0x00401afa
0x00401afd
0x00401afd
0x00401b00
0x00401b04
0x00401b07
0x00401b0a
0x00401b0c
0x00401b0c
0x00401b0e
0x00401b11
0x00401b14
0x00401b17
0x00401b18
0x00401b19
0x00401b1a
0x00401b1a
0x00401956
0x00401956
0x00401956
0x00401956
0x0040195a
0x0040195d
0x00401960
0x00401963
0x00401964
0x00401964
0x00401931
0x00401931
0x00401935
0x00401935
0x00401938
0x0040193b
0x0040193e
0x00401968
0x0040196b
0x0040196e
0x00401971
0x00401974
0x00401975
0x00401940
0x00401940
0x00401943
0x00401944
0x00401944
0x0040193e
0x0040192f

APIs

Sleep.KERNEL32(00000000,?,004018C6), ref: 004019AF
Sleep.KERNEL32(0000000A,00000000,?,004018C6), ref: 004019C5
Sleep.KERNEL32(00000000,?,?,?,004018C6), ref: 004019F3
Sleep.KERNEL32(0000000A,00000000,?,?,?,004018C6), ref: 00401A09

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f51487f3f1496f02d5e4cf641ff69e07689fa8231a26707e284f0f573df8b7fc
Instruction ID: 0cef76587b77e40ce70905fbd12d0a83284de57665f5d39768faeb799c530d07
Opcode Fuzzy Hash: f51487f3f1496f02d5e4cf641ff69e07689fa8231a26707e284f0f573df8b7fc
Instruction Fuzzy Hash: A0C125726012508BCB15CF29D980796BBE0AF85351F18C2BFE485AB3E5D778A941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED40, Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040ED40(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E0040ED38(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x0040ed44
0x0040ed47
0x0040ed4a
0x0040ed53
0x0040ed5f
0x0040ed66
0x0040ee12
0x0040ee12
0x0040ed6c
0x0040edff
0x0040edff
0x0040ee05
0x00000000
0x00000000
0x0040ed78
0x0040edeb
0x0040edf6
0x0040edfd
0x00000000
0x00000000
0x00000000
0x0040ed80
0x0040ed80
0x0040ed85
0x0040ed8b
0x0040edaa
0x0040edb1
0x0040edb3
0x0040edb3
0x0040edb1
0x0040edb8
0x0040edc9
0x0040edc0
0x0040edc5
0x0040edc5
0x0040edd3
0x0040ede6
0x0040ede6
0x00000000
0x0040edd3
0x0040ed78
0x00000000
0x0040edff

APIs

GetSystemInfo.KERNEL32(?), ref: 0040ED53
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 0040ED5F
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 0040EDAA
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 0040EDE6
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 0040EDF6

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 2fc8043b29857472b58c255470cfcfd6539f48e52088e031203312cf8912bc76
Instruction ID: 4b5512479451d82684af30c3e99dc27f9476853229ddccfc2b98e30e16071c48
Opcode Fuzzy Hash: 2fc8043b29857472b58c255470cfcfd6539f48e52088e031203312cf8912bc76
Instruction Fuzzy Hash: 7B217C71104305AED730EA66C884EABB7E8EF45310F048C2EF585A32C1D339E864CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040E414, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0040E414(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x40e509);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E0040B9FC( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E0040E2F8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E00404D24(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						_push( &_v16);
						E0040DF20(0x36,  &_v32, _v8);
						_v28 = _v32;
						E00407EE8( &_v36, _t54);
						_v24 = _v36;
						E0040BF84(_t54,  &_v40);
						_v20 = _v40;
						E0040DEF0(0x68, 2,  &_v28, 0);
						_t55 = _v16;
						E00409824(_v16, 1);
						E00403F88();
					}
				}
				E00404C98(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E0040E510);
				L00404C90( &_v40, 3);
				return L00404C90( &_v16, 3);
			}

0x0040e414
0x0040e414
0x0040e415
0x0040e417
0x0040e41c
0x0040e41c
0x0040e41e
0x0040e420
0x0040e420
0x0040e423
0x0040e424
0x0040e426
0x0040e428
0x0040e42a
0x0040e42b
0x0040e430
0x0040e433
0x0040e436
0x0040e43d
0x0040e445
0x0040e44c
0x0040e45c
0x0040e463
0x00000000
0x00000000
0x0040e46a
0x0040e46c
0x0040e472
0x0040e477
0x0040e480
0x0040e488
0x0040e494
0x0040e49c
0x0040e4a4
0x0040e4ac
0x0040e4b9
0x0040e4be
0x0040e4c8
0x0040e4cd
0x0040e4cd
0x0040e472
0x0040e4dc
0x0040e4e1
0x0040e4e3
0x0040e4e6
0x0040e4e9
0x0040e4f6
0x0040e508

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0040E509,?,?,?,00000003,00000000,00000000,?,00411A7D), ref: 0040E45C
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040E509,?,?,?,00000003,00000000,00000000,?,00411A7D), ref: 0040E465

Strings

.tmp, xrefs: 0040E445

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 7edbd8eb8868f647336dcda8a82f97366c033c536537bd7bc5c9f0c834e51e1f
Instruction ID: 0fa68b6a66232beb2f5cf3e2a8c7cb538fd8d08fdd35de0873b47ece01a66cb4
Opcode Fuzzy Hash: 7edbd8eb8868f647336dcda8a82f97366c033c536537bd7bc5c9f0c834e51e1f
Instruction Fuzzy Hash: 04218B75A00109ABDB14EFE5CC41ADEB3F9EB88304F51457BF901B73C1DA389E008AA8

Uniqueness

Uniqueness Score: -1.00%

Function 004068EC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004068EC(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00403110();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00403100(_t13);
				return _t24;
			}

0x004068f3
0x004068f8
0x004068fa
0x0040692b
0x00406934
0x00406940

APIs

CreateWindowExW.USER32 ref: 0040692B

Strings

InnoSetupLdrWindow, xrefs: 004068EF
STATIC, xrefs: 00406929

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: c0992d5dae7087bb7648db7e278b48ea95b6fe98ae32dfbc74ce53748ec999af
Instruction ID: 6351ba77ad7f294675345a051ebbfaa16a65daa534f29d3811ce1de3ec6cb91b
Opcode Fuzzy Hash: c0992d5dae7087bb7648db7e278b48ea95b6fe98ae32dfbc74ce53748ec999af
Instruction Fuzzy Hash: E3F092B2600118BF8B80DE9DDC81EDB7BECEB4C264B05412AFA0CE7201D634ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5DC, Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E5DC(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E0040E168(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x0040e5dc
0x0040e5e3
0x0040e5e6
0x0040e5ea
0x0040e5ed
0x0040e63b
0x0040e63b
0x0040e63b
0x0040e5ef
0x0040e5f0
0x0040e5f2
0x0040e5f2
0x0040e5f5
0x0040e602
0x0040e605
0x0040e60b
0x0040e60b
0x0040e5f7
0x0040e5fb
0x0040e5fb
0x0040e615
0x0040e61c
0x00000000
0x00000000
0x0040e61e
0x0040e626
0x00000000
0x00000000
0x0040e628
0x0040e630
0x00000000
0x00000000
0x0040e632
0x0040e633
0x0040e634
0x00000000
0x00000000
0x00000000
0x0040e634
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E5FB
Sleep.KERNEL32(?,?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E60B
GetLastError.KERNEL32(?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E61E
GetLastError.KERNEL32(?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E628

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: aac2bbf36f8ddde83f6facb60647697f5e410134289920da196e8a7cad57603d
Instruction ID: 94192f546389ca7677f92084570e97d6a590b5d124bd5d39fde150768ecb5d8c
Opcode Fuzzy Hash: aac2bbf36f8ddde83f6facb60647697f5e410134289920da196e8a7cad57603d
Instruction Fuzzy Hash: 22F02B3260012467DB30E5BFEC8591F7258DAA13687104C3BF505F3381D43ADD6142A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404580, Relevance: 4.6, APIs: 3, Instructions: 92
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00404580() {
				void* _t14;
				int _t21;
				void* _t33;
				void* _t47;
				struct HINSTANCE__* _t54;
				void* _t58;

				if( *0x412004 != 0) {
					E00404458();
					E004044F0(_t47);
					 *0x412004 = 0;
				}
				if( *0x415b18 != 0 && GetCurrentThreadId() ==  *0x415b40) {
					E004041DC(0x415b14);
					E004044C4(0x415b14);
				}
				if( *0x00415B0C != 0 ||  *0x413048 == 0) {
					L8:
					if( *((char*)(0x415b0c)) == 2 &&  *0x412000 == 0) {
						 *0x00415AF0 = 0;
					}
					_t14 = E00402EC8();
					_t45 = _t14;
					if(_t14 == 0) {
						L13:
						E00404204(); // executed
						if( *((char*)(0x415b0c)) <= 1 ||  *0x412000 != 0) {
							_t57 =  *0x00415AF4;
							if( *0x00415AF4 != 0) {
								E00406204(_t57);
								_t7 =  *((intOrPtr*)(0x415af4)) + 0x10; // 0x400000
								_t54 =  *_t7;
								_t9 =  *((intOrPtr*)(0x415af4)) + 4; // 0x400000
								if(_t54 !=  *_t9 && _t54 != 0) {
									FreeLibrary(_t54);
								}
							}
						}
						E004041DC(0x415ae4);
						if( *((char*)(0x415b0c)) == 1) {
							 *0x00415B08();
						}
						if( *((char*)(0x415b0c)) != 0) {
							E004044C4(0x415ae4);
						}
						if( *0x415ae4 == 0) {
							if( *0x41302c != 0) {
								 *0x41302c();
							}
							_t21 =  *0x412000; // 0x0
							ExitProcess(_t21); // executed
						}
						memcpy(0x415ae4,  *0x415ae4, 0xc << 2);
						_t58 = _t58 + 0xc;
						0x415ae4 = 0x415ae4;
						goto L8;
					} else {
						do {
							E00403894(_t45);
							_t33 = E00402EC8();
							_t45 = _t33;
						} while (_t33 != 0);
						goto L13;
					}
				} else {
					do {
						 *0x413048 = 0;
						 *((intOrPtr*)( *0x413048))();
					} while ( *0x413048 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00404595
0x00404597
0x0040459c
0x004045a3
0x004045a3
0x004045af
0x004045c3
0x004045cd
0x004045cd
0x004045d6
0x004045ec
0x004045f0
0x004045fd
0x004045fd
0x00404600
0x00404605
0x00404609
0x0040461d
0x0040461d
0x00404626
0x00404631
0x00404636
0x0040463a
0x00404642
0x00404642
0x00404648
0x0040464b
0x00404652
0x00404652
0x0040464b
0x00404636
0x00404659
0x00404662
0x00404664
0x00404664
0x0040466b
0x0040466f
0x0040466f
0x00404677
0x00404680
0x00404682
0x00404682
0x00404688
0x0040468e
0x0040468e
0x0040469f
0x0040469f
0x004046a1
0x00000000
0x0040460b
0x0040460b
0x0040460d
0x00404612
0x00404617
0x00404619
0x00000000
0x0040460b
0x004045dd
0x004045dd
0x004045e3
0x004045e5
0x004045e7
0x00000000
0x004045ec
0x00000000
0x004045ec

APIs

GetCurrentThreadId.KERNEL32 ref: 004045B1
FreeLibrary.KERNEL32(00400000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 00404652
ExitProcess.KERNEL32(00000000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 0040468E

Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?), ref: 00404529
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000), ref: 0040452F
Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 00404544
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 0040454A

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: 4356c6b92ebc9da1c518ca1677b44757bab9836aa0f193545dcf1a51ed26351d
Instruction ID: 4d782e4c625b569beac7369a61e92c8a12ca43a803c998872a7a01d6faed15f3
Opcode Fuzzy Hash: 4356c6b92ebc9da1c518ca1677b44757bab9836aa0f193545dcf1a51ed26351d
Instruction Fuzzy Hash: 8131A0B06006408BDB31BBB9984875776D4AB99309F14493FE745A72D2E7BDE880CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00404578, Relevance: 4.6, APIs: 3, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00404578() {
				intOrPtr* _t14;
				void* _t17;
				int _t24;
				void* _t36;
				void* _t51;
				struct HINSTANCE__* _t59;
				void* _t65;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x412004 != 0) {
					E00404458();
					E004044F0(_t51);
					 *0x412004 = 0;
				}
				if( *0x415b18 != 0 && GetCurrentThreadId() ==  *0x415b40) {
					E004041DC(0x415b14);
					E004044C4(0x415b14);
				}
				if( *0x00415B0C != 0 ||  *0x413048 == 0) {
					L10:
					if( *((char*)(0x415b0c)) == 2 &&  *0x412000 == 0) {
						 *0x00415AF0 = 0;
					}
					_t17 = E00402EC8();
					_t49 = _t17;
					if(_t17 == 0) {
						L15:
						E00404204(); // executed
						if( *((char*)(0x415b0c)) <= 1 ||  *0x412000 != 0) {
							_t64 =  *0x00415AF4;
							if( *0x00415AF4 != 0) {
								E00406204(_t64);
								_t7 =  *((intOrPtr*)(0x415af4)) + 0x10; // 0x400000
								_t59 =  *_t7;
								_t9 =  *((intOrPtr*)(0x415af4)) + 4; // 0x400000
								if(_t59 !=  *_t9 && _t59 != 0) {
									FreeLibrary(_t59);
								}
							}
						}
						E004041DC(0x415ae4);
						if( *((char*)(0x415b0c)) == 1) {
							 *0x00415B08();
						}
						if( *((char*)(0x415b0c)) != 0) {
							E004044C4(0x415ae4);
						}
						if( *0x415ae4 == 0) {
							if( *0x41302c != 0) {
								 *0x41302c();
							}
							_t24 =  *0x412000; // 0x0
							ExitProcess(_t24); // executed
						}
						memcpy(0x415ae4,  *0x415ae4, 0xc << 2);
						_t65 = _t65 + 0xc;
						0x415ae4 = 0x415ae4;
						goto L10;
					} else {
						do {
							E00403894(_t49);
							_t36 = E00402EC8();
							_t49 = _t36;
						} while (_t36 != 0);
						goto L15;
					}
				} else {
					do {
						 *0x413048 = 0;
						 *((intOrPtr*)( *0x413048))();
					} while ( *0x413048 != 0);
					L10:
					while(1) {
					}
				}
			}

0x0040457a
0x00404595
0x00404597
0x0040459c
0x004045a3
0x004045a3
0x004045af
0x004045c3
0x004045cd
0x004045cd
0x004045d6
0x004045ec
0x004045f0
0x004045fd
0x004045fd
0x00404600
0x00404605
0x00404609
0x0040461d
0x0040461d
0x00404626
0x00404631
0x00404636
0x0040463a
0x00404642
0x00404642
0x00404648
0x0040464b
0x00404652
0x00404652
0x0040464b
0x00404636
0x00404659
0x00404662
0x00404664
0x00404664
0x0040466b
0x0040466f
0x0040466f
0x00404677
0x00404680
0x00404682
0x00404682
0x00404688
0x0040468e
0x0040468e
0x0040469f
0x0040469f
0x004046a1
0x00000000
0x0040460b
0x0040460b
0x0040460d
0x00404612
0x00404617
0x00404619
0x00000000
0x0040460b
0x004045dd
0x004045dd
0x004045e3
0x004045e5
0x004045e7
0x00000000
0x004045ec
0x00000000
0x004045ec

APIs

GetCurrentThreadId.KERNEL32 ref: 004045B1
FreeLibrary.KERNEL32(00400000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 00404652
ExitProcess.KERNEL32(00000000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 0040468E

Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?), ref: 00404529
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000), ref: 0040452F
Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 00404544
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 0040454A

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: bf4da6e25b82f27659905996c7380b79b83ab0ced5a03e697dd3e7aa7360de26
Instruction ID: ae86e3c572180b17c01ff7deee3723e6db1901e31400f3d11ea795e357d1f3a4
Opcode Fuzzy Hash: bf4da6e25b82f27659905996c7380b79b83ab0ced5a03e697dd3e7aa7360de26
Instruction Fuzzy Hash: 90317EB06007408BDB31BBA995483577BE06B9A309F04493FE745A72D2E7BDE890CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040457C, Relevance: 4.6, APIs: 3, Instructions: 85
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040457C() {
				void* _t16;
				int _t23;
				void* _t35;
				void* _t50;
				struct HINSTANCE__* _t58;
				void* _t64;

				if( *0x412004 != 0) {
					E00404458();
					E004044F0(_t50);
					 *0x412004 = 0;
				}
				if( *0x415b18 != 0 && GetCurrentThreadId() ==  *0x415b40) {
					E004041DC(0x415b14);
					E004044C4(0x415b14);
				}
				if( *0x00415B0C != 0 ||  *0x413048 == 0) {
					L9:
					if( *((char*)(0x415b0c)) == 2 &&  *0x412000 == 0) {
						 *0x00415AF0 = 0;
					}
					_t16 = E00402EC8();
					_t48 = _t16;
					if(_t16 == 0) {
						L14:
						E00404204(); // executed
						if( *((char*)(0x415b0c)) <= 1 ||  *0x412000 != 0) {
							_t63 =  *0x00415AF4;
							if( *0x00415AF4 != 0) {
								E00406204(_t63);
								_t7 =  *((intOrPtr*)(0x415af4)) + 0x10; // 0x400000
								_t58 =  *_t7;
								_t9 =  *((intOrPtr*)(0x415af4)) + 4; // 0x400000
								if(_t58 !=  *_t9 && _t58 != 0) {
									FreeLibrary(_t58);
								}
							}
						}
						E004041DC(0x415ae4);
						if( *((char*)(0x415b0c)) == 1) {
							 *0x00415B08();
						}
						if( *((char*)(0x415b0c)) != 0) {
							E004044C4(0x415ae4);
						}
						if( *0x415ae4 == 0) {
							if( *0x41302c != 0) {
								 *0x41302c();
							}
							_t23 =  *0x412000; // 0x0
							ExitProcess(_t23); // executed
						}
						memcpy(0x415ae4,  *0x415ae4, 0xc << 2);
						_t64 = _t64 + 0xc;
						0x415ae4 = 0x415ae4;
						goto L9;
					} else {
						do {
							E00403894(_t48);
							_t35 = E00402EC8();
							_t48 = _t35;
						} while (_t35 != 0);
						goto L14;
					}
				} else {
					do {
						 *0x413048 = 0;
						 *((intOrPtr*)( *0x413048))();
					} while ( *0x413048 != 0);
					L9:
					while(1) {
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 004045B1
FreeLibrary.KERNEL32(00400000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 00404652
ExitProcess.KERNEL32(00000000,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?,?,?,00000000,0040B7F4,00000000,0040B83D), ref: 0040468E

Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?), ref: 00404529
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000), ref: 0040452F
Part of subcall function 004044F0: GetStdHandle.KERNEL32(000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 00404544
Part of subcall function 004044F0: WriteFile.KERNEL32(00000000,000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 0040454A

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: ef303358ffc1e6e0198b2a0a684d254f0c5984d34b54cf5c49c6103e49519b38
Instruction ID: 381d49ba10d3c5657357f4fb8878975e958cf176e4fcae55fd6a7565d347896d
Opcode Fuzzy Hash: ef303358ffc1e6e0198b2a0a684d254f0c5984d34b54cf5c49c6103e49519b38
Instruction Fuzzy Hash: 0A31A1B06007408BDB31BBB995483577AE06B99309F04493FE745A72D2E7BDE890CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D08, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D08() {
				intOrPtr _t13;
				int _t14;
				void* _t16;
				int _t20;
				void* _t21;
				void* _t22;
				void* _t23;

				_t23 =  *0x00413A28;
				while(_t23 != 0x413a24) {
					VirtualFree(_t23, 0, 0x8000); // executed
					_t23 =  *(_t23 + 4);
				}
				_t21 = 0x37;
				_t13 = 0x41205c;
				do {
					 *((intOrPtr*)(_t13 + 0x14)) = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = 1;
					 *((intOrPtr*)(_t13 + 0xc)) = 0;
					_t13 = _t13 + 0x20;
					_t21 = _t21 - 1;
				} while (_t21 != 0);
				 *0x413a24 = 0x413a24;
				 *0x00413A28 = 0x413a24;
				_t22 = 0x400;
				_t20 = 0x413ac4;
				do {
					_t14 = _t20;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x413ac4
					 *_t8 = _t14;
					_t20 = _t20 + 8;
					_t22 = _t22 - 1;
				} while (_t22 != 0);
				_t16 =  *0x00415ACC;
				while(_t16 != 0x415ac8) {
					_t10 = _t16 + 4; // 0x415ac8
					_t14 = VirtualFree(_t16, 0, 0x8000);
					_t16 =  *_t10;
				}
				 *0x415ac8 = 0x415ac8;
				 *0x00415ACC = 0x415ac8;
				return _t14;
			}

0x00402d16
0x00402d2d
0x00402d26
0x00402d2b
0x00402d2b
0x00402d31
0x00402d36
0x00402d3b
0x00402d3d
0x00402d42
0x00402d45
0x00402d4e
0x00402d51
0x00402d54
0x00402d54
0x00402d57
0x00402d59
0x00402d5c
0x00402d61
0x00402d66
0x00402d66
0x00402d68
0x00402d6a
0x00402d6a
0x00402d6d
0x00402d70
0x00402d70
0x00402d73
0x00402d8a
0x00402d78
0x00402d83
0x00402d88
0x00402d88
0x00402d8e
0x00402d90
0x00402d97

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00402DE8,004064E4,00000000,00406506), ref: 00402D26
VirtualFree.KERNEL32(00415AC8,00000000,00008000,?,00000000,00008000,?,?,?,?,00402DE8,004064E4,00000000,00406506), ref: 00402D83

Strings

$:A, xrefs: 00402D0C

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeVirtual
String ID: $:A
API String ID: 1263568516-3833043025
Opcode ID: 2d2d782df9233161c06dec7e4b6ee0fe064feae8b47c0467e0eab097918889d1
Instruction ID: d24d952728fcc3a9646f3ebb449162ef2ce13bf0a669e40d3a5f1eeb3db0775a
Opcode Fuzzy Hash: 2d2d782df9233161c06dec7e4b6ee0fe064feae8b47c0467e0eab097918889d1
Instruction Fuzzy Hash: F01161B13006009BD7248F089A84B66BAA5EF89754F25C07FE209AF3C1D678EC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004015E4, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015E4(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void* _t10;
				void** _t15;
				void* _t17;

				_t8 = __eax;
				E00401578(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x413a3c = 0;
					return 0;
				} else {
					_t15 =  *0x413a28; // 0x413a24
					_t10 = _t4;
					 *_t10 = 0x413a24;
					 *0x413a28 = _t4;
					 *(_t10 + 4) = _t15;
					 *_t15 = _t4;
					_t17 = _t4 + 0x13fff0;
					 *((intOrPtr*)(_t17 - 4)) = 2;
					 *0x413a3c = 0x13ffe0 - _t8;
					_t7 = _t17 - _t8;
					 *0x413a38 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x004015e5
0x004015e7
0x004015fa
0x00401601
0x00401652
0x0040165a
0x00401603
0x00401603
0x00401609
0x0040160b
0x00401611
0x00401616
0x00401619
0x0040161d
0x00401628
0x00401635
0x0040163d
0x0040163f
0x0040164c
0x0040164f
0x0040164f

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401BF3,?,004018C6), ref: 004015FA

Strings

$:A, xrefs: 00401603, 00401611
$:A, xrefs: 0040160B

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: AllocVirtual
String ID: $:A$$:A
API String ID: 4275171209-1384836841
Opcode ID: 39421edb908c6995d62f2c0b4cea7b3dead7872c1aad425fc2c1c6bc86b03942
Instruction ID: cf32fbc5601a1205f328c6ffb622e927ebfe32a850b6ecb500ba2c71dea074df
Opcode Fuzzy Hash: 39421edb908c6995d62f2c0b4cea7b3dead7872c1aad425fc2c1c6bc86b03942
Instruction Fuzzy Hash: 49F06DF1B103405FDB04DF7A9E817427BD6AB89396F20C03EE549EB7A8E77585418B08

Uniqueness

Uniqueness Score: -1.00%

Function 004119ED, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004119ED(signed int __ebx, void* __edi, void* __esi, void* __fp0) {
				signed char _t70;
				intOrPtr _t82;
				void* _t96;
				void* _t98;

				_t96 = __edi;
				_pop(_t82);
				_pop(_t73);
				 *[fs:eax] = _t82;
				E0040EAA0(_t73);
				_t70 = __ebx >> 1;
				_push(__esi);
				 *((intOrPtr*)(_t98 + 0x50)) =  *((intOrPtr*)(_t98 + 0x50)) + __esi;
			}

0x004119ed
0x004119ef
0x004119f1
0x004119f2
0x00411a12
0x00411a14
0x00411a16
0x00411a1d

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 00411A57

Strings

.tmp, xrefs: 00411A9D

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Message
String ID: .tmp
API String ID: 2030045667-2986845003
Opcode ID: aa335ddb19998c274477acd24add62c4eb0e4fb4cacc36a52dd716c2d59fe4ed
Instruction ID: 4f38a7cb95b2049e0ccd3ff5d2cc9ece443d10271b968dbd08f30af9efcfd22f
Opcode Fuzzy Hash: aa335ddb19998c274477acd24add62c4eb0e4fb4cacc36a52dd716c2d59fe4ed
Instruction Fuzzy Hash: 0E419D747002409FD700EF65ED92E9A77A5EB49308B21857EF900A77B1DB39AC41CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00411A14, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00411A14(void* __eax, signed int __ebx, void* __edi, void* __esi, void* __fp0) {
				signed char _t69;
				void* _t94;
				void* _t96;

				_t94 = __edi;
				_t69 = __ebx >> 1;
				_push(__esi);
				 *((intOrPtr*)(_t96 + 0x50)) =  *((intOrPtr*)(_t96 + 0x50)) + __esi;
			}

0x00411a14
0x00411a14
0x00411a16
0x00411a1d

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 00411A57

Strings

.tmp, xrefs: 00411A9D

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Message
String ID: .tmp
API String ID: 2030045667-2986845003
Opcode ID: 37fb123fd76f62bcb6a1511a136821f2e0fbe3da14741a40b1c705a0ba5e0d56
Instruction ID: 047628a6cad94539b1516682b219623fe898eb5eae23af65b704a5dfc85e6a4c
Opcode Fuzzy Hash: 37fb123fd76f62bcb6a1511a136821f2e0fbe3da14741a40b1c705a0ba5e0d56
Instruction Fuzzy Hash: 80417B746002409FD741EF65ED92EDA77B5EB49308B11857EF900A77A1CB39AC41CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040E168, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040E168(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E0040E11C(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x40e1c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E00404D24(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0040E1CC);
					return E0040E158( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0040e169
0x0040e16b
0x0040e180
0x0040e18b
0x0040e18c
0x0040e191
0x0040e194
0x0040e19f
0x0040e1a4
0x0040e1ac
0x0040e1b1
0x0040e1b4
0x0040e1b7
0x0040e1c4
0x0040e182
0x0040e184
0x0040e1dd
0x0040e1dd

APIs

DeleteFileW.KERNEL32(00000000,00000000,0040E1C5,?,0000000D,00000000), ref: 0040E19F
GetLastError.KERNEL32(00000000,00000000,0040E1C5,?,0000000D,00000000), ref: 0040E1A7

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: a2e5160283b2e7e3ee29734541207e3f7ac44b2fb4d0f38be6bcdfeece2073ee
Instruction ID: 9ee51f34468692f2fa01031a72dd6d75f86ce427ddf2a471b47f6d80da344237
Opcode Fuzzy Hash: a2e5160283b2e7e3ee29734541207e3f7ac44b2fb4d0f38be6bcdfeece2073ee
Instruction Fuzzy Hash: 60F0F631A14308AFDB00EFB7AC0249EB3E8DB497147514DBBF804F7781E6395E208598

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC82, Relevance: 3.0, APIs: 2, Instructions: 34
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AC82(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x40acf6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x40acd8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E00404D24(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0040ACDF);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0040ac85
0x0040ac87
0x0040ac8b
0x0040ac8e
0x0040ac93
0x0040ac98
0x0040ac99
0x0040ac9e
0x0040aca1
0x0040aca4
0x0040aca9
0x0040acaa
0x0040acaf
0x0040acb2
0x0040acbd
0x0040acc2
0x0040acc7
0x0040acca
0x0040accd
0x0040acd2
0x0040acd4
0x0040acd7

APIs

SetErrorMode.KERNEL32 ref: 0040AC8E
LoadLibraryW.KERNEL32(00000000,00000000,0040ACD8,?,00000000,0040ACF6), ref: 0040ACBD

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 4a0d345e161d9aa04fb204192aef2064e70d77f987adaa7dd9b6adf39232b4dc
Instruction ID: 446626037349bff6c3d3fc7edf50d58ff88a58da299c323ca587a544ae1629d3
Opcode Fuzzy Hash: 4a0d345e161d9aa04fb204192aef2064e70d77f987adaa7dd9b6adf39232b4dc
Instruction Fuzzy Hash: 3AF08970A047447FEB115F768C5242AB6ECE74DB047538876FD01E29D1E53D4C20D569

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC84, Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AC84(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x40acf6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x40acd8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E00404D24(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0040ACDF);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

APIs

SetErrorMode.KERNEL32 ref: 0040AC8E
LoadLibraryW.KERNEL32(00000000,00000000,0040ACD8,?,00000000,0040ACF6), ref: 0040ACBD

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: d906d2629e9325c76dbb444b949735e4ca7d417c166a0045cd3f60122fff6cd7
Instruction ID: 93d40f3431e9079428ff9cf159756719ddb02882c84a7d17cb6b63846cc3cebc
Opcode Fuzzy Hash: d906d2629e9325c76dbb444b949735e4ca7d417c166a0045cd3f60122fff6cd7
Instruction Fuzzy Hash: 7CF089709047447FDB115F768C5241AB6ECE74DB047538876F901A29D1E53D4820D569

Uniqueness

Uniqueness Score: -1.00%

Function 00411E2B, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411E2B(void* __edx) {
				intOrPtr _t1;
				int _t2;
				intOrPtr _t3;
				intOrPtr _t5;
				struct HWND__* _t8;
				intOrPtr _t9;
				intOrPtr _t12;
				intOrPtr _t15;
				intOrPtr _t16;

				_t1 =  *0x41865c; // 0x0
				_t2 = E00403894(_t1);
				if( *0x418670 != 0) {
					_t16 =  *0x418670; // 0x0
					_t2 = E0040E5DC(0, _t16, 0xfa, 0x32); // executed
				}
				if( *0x418668 != 0) {
					_t9 =  *0x418668; // 0x0
					_t2 = RemoveDirectoryW(E00404D24(_t9)); // executed
				}
				if( *0x412af0 != 0) {
					_t8 =  *0x412af0; // 0x2a0068
					_t2 = DestroyWindow(_t8); // executed
				}
				if( *0x41864c != 0) {
					_t3 =  *0x41864c; // 0x0
					_t12 =  *0x418650; // 0xc
					_t15 =  *0x40dcc4; // 0x40dcc8
					E00405548(_t3, _t12, _t15);
					_t5 =  *0x41864c; // 0x0
					E00402E20(_t5);
					 *0x41864c = 0;
					return 0;
				}
				return _t2;
			}

0x00411d9c
0x00411da1
0x00411dad
0x00411dbb
0x00411dc3
0x00411dc3
0x00411dcf
0x00411dd1
0x00411ddc
0x00411ddc
0x00411de8
0x00411dea
0x00411df0
0x00411df0
0x00411dfc
0x00411dfe
0x00411e03
0x00411e09
0x00411e0f
0x00411e14
0x00411e19
0x00411e20
0x00000000
0x00411e20
0x00411e25

APIs

RemoveDirectoryW.KERNEL32(00000000,00411E30,?,?,?,?,?,?,?,?,?,?,002A0068,000000FC,0040EAC4,00000000), ref: 00411DDC
DestroyWindow.USER32(002A0068,00411E30,?,?,?,?,?,?,?,?,?,?,002A0068,000000FC,0040EAC4,00000000), ref: 00411DF0

Part of subcall function 0040E5DC: Sleep.KERNEL32(?,?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E5FB
Part of subcall function 0040E5DC: GetLastError.KERNEL32(?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E61E
Part of subcall function 0040E5DC: GetLastError.KERNEL32(?,?,?,0000000D,?,00411DC8,000000FA,00000032,00411E30), ref: 0040E628

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
String ID:
API String ID: 2192421792-0
Opcode ID: 1c6e906a6b538894d20e67497be97229656c28b0a5b638914f3d493938282075
Instruction ID: a35aad7cbc91a908b341ba8d3f0a599e5b1b0848bb1b06d1b2f77e860150aa5c
Opcode Fuzzy Hash: 1c6e906a6b538894d20e67497be97229656c28b0a5b638914f3d493938282075
Instruction Fuzzy Hash: 7501B6B02411009BD725EB69ED49BD933E1AB04309F14C93EA501972F5CE78A885CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3D0, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040C3D0(intOrPtr* __eax, void* __edx) {
				long _v16;
				long _v20;
				long _t8;
				intOrPtr* _t10;

				asm("movsd");
				asm("movsd");
				_t10 = __eax;
				_t8 = SetFilePointer( *(__eax + 4), _v20,  &_v16, 0); // executed
				if(_t8 == 0xffffffff) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						_t8 = E0040C1E4( *_t10);
					}
				}
				return _t8;
			}

0x0040c3db
0x0040c3dc
0x0040c3dd
0x0040c3ef
0x0040c3f7
0x0040c3f9
0x0040c400
0x0040c404
0x0040c404
0x0040c400
0x0040c40e

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040C3EF
GetLastError.KERNEL32(?,?,?,00000000), ref: 0040C3F9

Part of subcall function 0040C1E4: GetLastError.KERNEL32(0040C0A4,0040C287,?,?,00000000,?,0041187B,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040C1E7

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 50424b7e63cd685a17b9bd9a31ccaacf5ff4b9d99749838fd5b7a0ea15fdad11
Instruction ID: f9611c5e409b5906aabc26baa8b2dfa3f65e665b165aedc4df9fb55df43993f0
Opcode Fuzzy Hash: 50424b7e63cd685a17b9bd9a31ccaacf5ff4b9d99749838fd5b7a0ea15fdad11
Instruction Fuzzy Hash: 51E092762041009BD610E6ADD8C1AAB77DC9F85374F244737F664EB1D2D675D8008775

Uniqueness

Uniqueness Score: -1.00%

Function 0040C390, Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040C390(intOrPtr* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t7;
				intOrPtr* _t12;

				_push(__ecx);
				_t12 = __eax;
				_t7 = ReadFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t7 == 0 && ( *((char*)(_t12 + 8)) != 0 || GetLastError() != 0x6d)) {
					E0040C1E4( *_t12);
				}
				return _v16;
			}

0x0040c393
0x0040c398
0x0040c3a7
0x0040c3ae
0x0040c3c2
0x0040c3c2
0x0040c3ce

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040C3A7
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040C3B6

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 30cf0fc7fcda4529806b73604fb8d9908d86cd92c6d9eb36858da68b1bf07751
Instruction ID: e0f4121c1e9b4399ab2b1c9bf066f68ed76d1cae12be267a3e8b7d415970813a
Opcode Fuzzy Hash: 30cf0fc7fcda4529806b73604fb8d9908d86cd92c6d9eb36858da68b1bf07751
Instruction Fuzzy Hash: 78E09B72214150EADB10E75A9CC4F5B57DCCB86314F04817BF904DB281C674CC10C775

Uniqueness

Uniqueness Score: -1.00%

Function 0040C328, Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C328(intOrPtr* __eax, long* __edx) {
				long _t8;
				long* _t11;
				intOrPtr* _t13;

				_t11 = __edx;
				_t13 = __eax;
				 *(__edx + 4) = 0;
				_t8 = SetFilePointer( *(__eax + 4), 0, __edx + 4, 1); // executed
				 *_t11 = _t8;
				if( *_t11 == 0xffffffff) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						return E0040C1E4( *_t13);
					}
				}
				return _t8;
			}

0x0040c32a
0x0040c32c
0x0040c330
0x0040c33f
0x0040c344
0x0040c349
0x0040c34b
0x0040c352
0x00000000
0x0040c356
0x0040c352
0x0040c35d

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 0040C33F
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 0040C34B

Part of subcall function 0040C1E4: GetLastError.KERNEL32(0040C0A4,0040C287,?,?,00000000,?,0041187B,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040C1E7

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: b5bc04d13ce7e0f4b6f76b7c9c32d4ca4eee90dc55d430a3763c41653256f821
Instruction ID: 6bb32860de773fec7b433492fb75275ead893e8bd59b77a14ca8c87ab5f49da4
Opcode Fuzzy Hash: b5bc04d13ce7e0f4b6f76b7c9c32d4ca4eee90dc55d430a3763c41653256f821
Instruction Fuzzy Hash: E1E04FB1600210DFEB10EFB588C1B66B6D89F04368F098676EA15DF2C5E675CC00C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2F4, Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A2F4(int __eax, void* __edx) {
				LONG* _t5;
				void* _t8;

				_t2 = __eax;
				if(__edx >= 0) {
					_t8 = __edx + 1;
					_t5 = __eax;
					goto L2;
					do {
						do {
							L2:
						} while (InterlockedCompareExchange(_t5, 1, 0) != 0);
						_t1 =  &(_t5[1]); // 0x0
						_t2 = CloseHandle( *_t1); // executed
						_t5 =  &(_t5[2]);
						_t8 = _t8 - 1;
					} while (_t8 != 0);
				}
				return _t2;
			}

0x0040a2f4
0x0040a2fa
0x0040a2fc
0x0040a2fd
0x0040a2fd
0x0040a2ff
0x0040a2ff
0x0040a2ff
0x0040a309
0x0040a30d
0x0040a311
0x0040a316
0x0040a319
0x0040a319
0x0040a2ff
0x0040a31e

APIs

InterlockedCompareExchange.KERNEL32(00415CA4,00000001,00000000), ref: 0040A304
CloseHandle.KERNEL32(00000000,?,00415DA8,0040A354,00415DA8,00000000,00415DA4,00000000,?,0040B156,00000000,0040B2A9), ref: 0040A311

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseCompareExchangeHandleInterlocked
String ID:
API String ID: 190309047-0
Opcode ID: be626e2ef2a55e18661b3a68549b16555cdf0c22c566df155ca2d3d5298791dd
Instruction ID: 4f59e876e8f462647f5b87e6077f489c8bd3fa80aa1a1c9cbd2e5d0525511eb3
Opcode Fuzzy Hash: be626e2ef2a55e18661b3a68549b16555cdf0c22c566df155ca2d3d5298791dd
Instruction Fuzzy Hash: C6D05EB265172023DA202AA91D81B56014C8B54758F0114BBBE01FA3C2E1BA8C6002A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C42C, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040C42C(intOrPtr* __eax, long __ecx, void* __edx, void* __ebp) {
				long _v16;
				void* __ebx;
				int _t6;
				intOrPtr* _t9;
				long _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t9 = __eax;
				_t6 = WriteFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t6 == 0) {
					_t6 = E0040C1E4( *_t9);
				}
				if(_t15 != _v16) {
					_t6 = E0040C130(_t9, 0x1d);
				}
				return _t6;
			}

0x0040c42f
0x0040c430
0x0040c434
0x0040c443
0x0040c44a
0x0040c44e
0x0040c44e
0x0040c456
0x0040c45f
0x0040c45f
0x0040c468

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040C443

Part of subcall function 0040C1E4: GetLastError.KERNEL32(0040C0A4,0040C287,?,?,00000000,?,0041187B,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040C1E7

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 3f27af93616d44cafd920d86f12288abf041101562baca60bd8f4dd466a85639
Instruction ID: 5f691bc60c61b380f8ace00ad4bc758de0d67d566e919883e0a27f2df786f2ed
Opcode Fuzzy Hash: 3f27af93616d44cafd920d86f12288abf041101562baca60bd8f4dd466a85639
Instruction Fuzzy Hash: BAE01272704110ABDB10E75ED8C0F67A7DCDF85754F00817BB548DB256D574DC048AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF84, Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BF84(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00404DD4(_t10, _t7, _t17, _t20);
			}

0x0040bf8b
0x0040bfa3
0x0040bfab
0x0040bfaf
0x0040bfb8
0x0040bfaa
0x0040bfaa
0x0040bfaa
0x00000000
0x0040bfba
0x0040bfba
0x0040bfbe
0x00000000
0x00000000
0x0040bfbe
0x00000000
0x0040bfb8
0x0040bfd1

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,0040C156,00000000,0040C1A7,?,0040C360), ref: 0040BFA3

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 78b631aa6f0c220d234d81b028a8f39ac27aaf547ccc31545c27bd411d18f62e
Instruction ID: 54a6effb2ad2d49ab466ee6a75d0bb386577af74ea474ee3005c175c4631f906
Opcode Fuzzy Hash: 78b631aa6f0c220d234d81b028a8f39ac27aaf547ccc31545c27bd411d18f62e
Instruction Fuzzy Hash: F8E0D8A075430316F22911144C03B7B1109CBC0B00FA08436B600EF3D9DBBE985986DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B698, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040B698(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x40b6de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E0040B62C(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E00404D24(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E0040B6E5);
				return L00404C88( &_v8);
			}

0x0040b69b
0x0040b6a2
0x0040b6a3
0x0040b6a8
0x0040b6ab
0x0040b6b3
0x0040b6c1
0x0040b6ca
0x0040b6cd
0x0040b6d0
0x0040b6dd

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,0040B6DE,?,?,00000000,?,0040B6F1,0040BA6E,00000000,0040BAB3,?,?,00000000,00000000), ref: 0040B6C1

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4d65c1aa47821c360c71166b3d4a266793d1786de3f7429b732c39a9dcd030f1
Instruction ID: a06aa6656fdad5e9dbbd83ce560a082ed6b537c9876e7170b744a42e3e33ef30
Opcode Fuzzy Hash: 4d65c1aa47821c360c71166b3d4a266793d1786de3f7429b732c39a9dcd030f1
Instruction Fuzzy Hash: B3E09271704308AFE701EB72DD5391DB3ECD789704BA2087AF900F3A81E67A9E00855C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2E0, Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C2E0(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E00404D24(__edx),  *(0x4129dc + (_a8 & 0x000000ff) * 4),  *(0x4129e8 + (_a4 & 0x000000ff) * 4), 0,  *(0x4129f8 + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x0040c31d
0x0040c325

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0040C31D

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 63fc4f49aec430f3829336a694d8165bea7383a72ca2888a76604ad14c713c38
Instruction ID: 13404cbe62acdba55d2813df6ef1882d8c39da72c30555add375271e33042dcc
Opcode Fuzzy Hash: 63fc4f49aec430f3829336a694d8165bea7383a72ca2888a76604ad14c713c38
Instruction Fuzzy Hash: 20E012B134416C2ED240969DAC51FA6779CA719715F008023F994DB281C0A6D9209AE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B48, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B48(void* __eax) {
				short _v532;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				WCHAR* _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E00405DE8(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00405b50
0x00405b56
0x00405b66
0x00405b6f
0x00405b74
0x00405b76
0x00405b7b
0x00405b80
0x00405b80
0x00405b7b
0x00405b8e

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00405B66

Part of subcall function 00405DE8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 00405E04
Part of subcall function 00405DE8: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00405E24
Part of subcall function 00405DE8: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00405E42
Part of subcall function 00405DE8: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 00405E60
Part of subcall function 00405DE8: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00405E7E
Part of subcall function 00405DE8: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F1C,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 00405EC7
Part of subcall function 00405DE8: RegQueryValueExW.ADVAPI32(?,00406110,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F1C,?,80000001), ref: 00405EE5
Part of subcall function 00405DE8: RegCloseKey.ADVAPI32(?,00405F23,00000000,?,?,00000000,00405F1C,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F16

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 8c9758be25788c771a96be9b96f2f469653191ca95e081fd4ab6892ed6ab7e97
Instruction ID: 514b741bebc9be100643021af33e25a7a2a1590cfa8c206c69565e72355c73da
Opcode Fuzzy Hash: 8c9758be25788c771a96be9b96f2f469653191ca95e081fd4ab6892ed6ab7e97
Instruction Fuzzy Hash: DBE0C971A007109FCB14DE58C8C5A5737E4AF08764F044A66AD14EF386D375E9108BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C410, Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C410(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E0040C1E4( *_t7);
				}
				return _t4;
			}

0x0040c411
0x0040c417
0x0040c41e
0x00000000
0x0040c422
0x0040c428

APIs

SetEndOfFile.KERNEL32(?,7FD80010,00411C36,00000000), ref: 0040C417

Part of subcall function 0040C1E4: GetLastError.KERNEL32(0040C0A4,0040C287,?,?,00000000,?,0041187B,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040C1E7

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: a3404d2f1f053cf2f3e86efe0e478a67ee0e867368918682c51ca0df89d9ab2f
Instruction ID: 6b5fd851a2480aff7a6dd7d3e712bfbbac8f25b2dfd40299735038a0fc5377eb
Opcode Fuzzy Hash: a3404d2f1f053cf2f3e86efe0e478a67ee0e867368918682c51ca0df89d9ab2f
Instruction Fuzzy Hash: C0C04CB1201100C7CB00ABEAD5C191666DC6A483083448176B504DF247D678D8108A25

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACDF, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040ACDF() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E0040ACFD);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x0040ace1
0x0040ace4
0x0040ace7
0x0040acf0
0x0040acf5

APIs

SetErrorMode.KERNEL32(?,0040ACFD), ref: 0040ACF0

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: fc285dc2b3e37b3a2430b6cb798d4d006232da26ef733131f1ea31aed88b1510
Instruction ID: 112f59639df773ce5e8ef13905132ba6fc2be3043f547875694a47c1d55f0219
Opcode Fuzzy Hash: fc285dc2b3e37b3a2430b6cb798d4d006232da26ef733131f1ea31aed88b1510
Instruction Fuzzy Hash: 1CB09B7764C7405EF705D695A41152863D8D7C47143A2C477F412D65C0D53D55104519

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACFB, Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACFB() {
				int _t3;
				void* _t4;

				_t3 = SetErrorMode( *(_t4 - 0xc)); // executed
				return _t3;
			}

0x0040acf0
0x0040acf5

APIs

SetErrorMode.KERNEL32(?,0040ACFD), ref: 0040ACF0

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e041ad833e26832a7a46faca488033c8bf34126b8d66408357392999026807de
Instruction ID: 0d6ffb28b60556907f55dc5a8f6c8d323e4632824e5f7ee3d30a7447b9079724
Opcode Fuzzy Hash: e041ad833e26832a7a46faca488033c8bf34126b8d66408357392999026807de
Instruction Fuzzy Hash: A5A0222AC0C200B3CE00F2E0800082C232C3A883003C2C8A23002B2080C03E80200A0B

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE24, Relevance: 1.3, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CE24(void* __eax, void* __fp0) {
				char _v16;
				char _v20;
				void* _v28;
				void* _t29;
				void* _t32;
				void* _t40;
				void* _t50;
				long _t52;

				_t40 = __eax;
				if( *((intOrPtr*)(__eax + 8))() != 5) {
					E0040CC3C(1);
				}
				E00403250(_t40 + 0x14, 0x50);
				if(E0040D9D8(_t40 + 0x14, 0x50,  &_v16,  &_v20, 5) != 0) {
					E0040CC3C(3);
				}
				if(_v16 > 0x4000000) {
					E0040CC3C(7);
				}
				_t52 = _v20 + _v16;
				if(_t52 !=  *(_t40 + 0x68)) {
					E0040CDCC(_t40);
					_t32 = VirtualAlloc(0, _t52, 0x1000, 4); // executed
					_t50 = _t32;
					 *(_t40 + 0x64) = _t50;
					if(_t50 == 0) {
						E00409818();
					}
					 *(_t40 + 0x68) = _t52;
				}
				_t29 = E0040DA28(_t40 + 0x14,  *(_t40 + 0x64) + _v20,  *(_t40 + 0x64));
				 *((char*)(_t40 + 0x11)) = 1;
				return _t29;
			}

0x0040ce2a
0x0040ce3c
0x0040ce43
0x0040ce43
0x0040ce52
0x0040ce76
0x0040ce7d
0x0040ce7d
0x0040ce8a
0x0040ce91
0x0040ce91
0x0040ce9a
0x0040cea1
0x0040cea5
0x0040ceb4
0x0040ceb9
0x0040cebb
0x0040cec0
0x0040cec2
0x0040cec2
0x0040cec7
0x0040cec7
0x0040ced7
0x0040cedc
0x0040cee6

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0040CEB4

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c33fdcd7db3a91dc0bea8e59b530216931318dc07da37a5218f5d87b59fbcef
Instruction ID: b6681b459df67ccd1e5ce076e039c9ae0ad0e44203837902a123d5042d1e434f
Opcode Fuzzy Hash: 1c33fdcd7db3a91dc0bea8e59b530216931318dc07da37a5218f5d87b59fbcef
Instruction Fuzzy Hash: 31117231604204DBDB10EF59D8C1B5B3798DF84319F00817AF949AB2C6D638D805CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401706, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401706(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E0040165C();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x415ac4 = 0;
				return _t30;
			}

0x0040170a
0x0040170c
0x00401711
0x00401714
0x00401719
0x0040171d
0x00401723
0x00401727
0x0040172d
0x00401749
0x0040174d
0x00401750
0x00401752
0x0040175a
0x0040176e
0x00000000
0x00000000
0x00401775
0x0040177b
0x0040177d
0x0040177f
0x00000000
0x0040177f
0x00000000
0x0040177b
0x00401770
0x0040172f
0x00401737
0x0040173e
0x00401744
0x00401740
0x00401740
0x00401740
0x0040173e
0x00401783
0x00401785
0x0040178e
0x00401797
0x00401797
0x0040179a
0x004017aa

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401737
VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040175A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00401767

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 1f8cc85d58d84fecc884ae731a3f0fa7b9dad45823223e1fb4daec084ce4bc2b
Instruction ID: b087b523a7cdde792340b118d0caba1a8ecc00495ea843c26d989cfd8e6ee0d2
Opcode Fuzzy Hash: 1f8cc85d58d84fecc884ae731a3f0fa7b9dad45823223e1fb4daec084ce4bc2b
Instruction Fuzzy Hash: D3F069343046009FD310DB2AC984B5BB7E5EFC8760F19C67AE9889B3A1D635DC02979A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2AC, Relevance: 1.3, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C2AC(signed int __edx) {
				void* _t3;
				void* _t4;
				void* _t6;
				signed int _t11;
				void* _t15;

				_t4 = E00403A8C(_t3, __edx);
				_t11 = __edx;
				_t15 = _t4;
				if( *((char*)(_t15 + 8)) != 0) {
					CloseHandle( *(_t15 + 4)); // executed
				}
				_t6 = E00403884(_t11 & 0x000000fc);
				if(_t11 > 0) {
					return E00403A34(_t15);
				}
				return _t6;
			}

0x0040c2ae
0x0040c2b3
0x0040c2b5
0x0040c2bb
0x0040c2c1
0x0040c2c1
0x0040c2cd
0x0040c2d4
0x00000000
0x0040c2d8
0x0040c2df

APIs

CloseHandle.KERNEL32(?), ref: 0040C2C1

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f207754768eb2adbf3d9bba580aefa7a1eecef27c8b5d337bcd18dd9ac0b30e3
Instruction ID: 52e0be0a24c7e9235cb3898ef0266e034d147dd7413e0674b114539fed1210a4
Opcode Fuzzy Hash: f207754768eb2adbf3d9bba580aefa7a1eecef27c8b5d337bcd18dd9ac0b30e3
Instruction Fuzzy Hash: 19D02B42B00A2003C21177FE44C128BA6884F0436AB084A7EB590E72D2D73CCE01439C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDCC, Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CDCC(void* __eax) {
				void* _t6;
				void* _t9;

				_t9 = __eax;
				 *((intOrPtr*)(__eax + 0x68)) = 0;
				_t6 =  *(__eax + 0x64);
				if(_t6 != 0) {
					VirtualFree(_t6, 0, 0x8000); // executed
					 *((intOrPtr*)(_t9 + 0x64)) = 0;
					return 0;
				}
				return _t6;
			}

0x0040cdcd
0x0040cdd1
0x0040cdd4
0x0040cdd9
0x0040cde3
0x0040cdea
0x00000000
0x0040cdea
0x0040cdee

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,0040CDB2), ref: 0040CDE3

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ff04fd8dcd11e6fbafa61476d2b9ef1a7874464dd62cbe148c55b2defef5a7c5
Instruction ID: d4de7230741a84b6279af0e8d68159cf60326ecd709791186f7f3d6a8192444b
Opcode Fuzzy Hash: ff04fd8dcd11e6fbafa61476d2b9ef1a7874464dd62cbe148c55b2defef5a7c5
Instruction Fuzzy Hash: 83D0E9B17553009BEB90FF794DC1B023BD96F08740F11447A6508EA286E674D454C654

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405BEC, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00405BEC(WCHAR* __eax, int __edx) {
				WCHAR* _v8;
				int _v12;
				WCHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t105;
				signed int _t106;
				intOrPtr* _t107;
				WCHAR* _t114;
				WCHAR* _t116;
				short* _t117;
				void* _t118;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleW(L"kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t116 =  &(_v8[2]);
						goto L10;
					} else {
						if(_v8[1] == 0x5c) {
							_t117 = E00405BC8( &(_v8[2]));
							if( *_t117 != 0) {
								_t17 = _t117 + 2; // 0x2
								_t116 = E00405BC8(_t17);
								if( *_t116 != 0) {
									L10:
									_t105 = _t116 - _v8;
									_t106 = _t105 >> 1;
									if(_t105 < 0) {
										asm("adc ebx, 0x0");
									}
									lstrcpynW( &_v1134, _v8, _t106 + 1);
									while( *_t116 != 0) {
										_t114 = E00405BC8( &(_t116[1]));
										_t53 = _t114 - _t116;
										_t54 = _t53 >> 1;
										if(_t53 < 0) {
											asm("adc eax, 0x0");
										}
										if(_t54 + _t106 + 1 <= 0x105) {
											_t59 = _t114 - _t116;
											_t60 = _t59 >> 1;
											if(_t59 < 0) {
												asm("adc eax, 0x0");
											}
											lstrcpynW( &_v1134 + _t106 + _t106, _t116, _t60 + 1);
											_v20 = FindFirstFileW( &_v1134,  &_v612);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												if(lstrlenW( &(_v612.cFileName)) + _t106 + 1 + 1 <= 0x105) {
													 *((short*)(_t118 + _t106 * 2 - 0x46a)) = 0x5c;
													lstrcpynW( &(( &_v1134 + _t106 + _t106)[1]),  &(_v612.cFileName), 0x105 - _t106 - 1);
													_t106 = _t106 + lstrlenW( &(_v612.cFileName)) + 1;
													_t116 = _t114;
													continue;
												}
											}
										}
										goto L23;
									}
									lstrcpynW(_v8,  &_v1134, _v12);
								}
							}
						}
					}
				} else {
					_t107 = GetProcAddress(_v20, "GetLongPathNameW");
					if(_t107 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t107() == 0) {
							goto L4;
						} else {
							lstrcpynW(_v8,  &_v1134, _v12);
						}
					}
				}
				L23:
				return _v16;
			}

0x00405bf8
0x00405bfb
0x00405c01
0x00405c0e
0x00405c15
0x00405c5a
0x00405c61
0x00405ca1
0x00000000
0x00405c63
0x00405c6b
0x00405c7c
0x00405c82
0x00405c88
0x00405c90
0x00405c96
0x00405ca4
0x00405ca6
0x00405ca9
0x00405cab
0x00405cad
0x00405cad
0x00405cbf
0x00405d8e
0x00405cd1
0x00405cd5
0x00405cd7
0x00405cd9
0x00405cdb
0x00405cdb
0x00405ce6
0x00405cee
0x00405cf0
0x00405cf2
0x00405cf4
0x00405cf4
0x00405d07
0x00405d1f
0x00405d26
0x00405d30
0x00405d4c
0x00405d4e
0x00405d78
0x00405d8a
0x00405d8c
0x00000000
0x00405d8c
0x00405d4c
0x00405d26
0x00000000
0x00405ce6
0x00405da7
0x00405da7
0x00405c96
0x00405c82
0x00405c6b
0x00405c17
0x00405c25
0x00405c29
0x00000000
0x00405c2b
0x00405c2b
0x00405c36
0x00405c3a
0x00405c3f
0x00000000
0x00405c41
0x00405c50
0x00405c50
0x00405c3f
0x00405c29
0x00405dac
0x00405db5

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00407574,?,00000000), ref: 00405C09
GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 00405C20
lstrcpynW.KERNEL32(?,?,?), ref: 00405C50
lstrcpynW.KERNEL32(?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405CBF
lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405D07
FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405D1A
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405D30
lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00407574,?,00000000), ref: 00405D3C
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00407574,?), ref: 00405D78
lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00407574), ref: 00405D84
lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00405DA7

Strings

\, xrefs: 00405D4E
kernel32.dll, xrefs: 00405C04
GetLongPathNameW, xrefs: 00405C17

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 3245196872-3908791685
Opcode ID: 1253a85fb23fe974578941fb111989e320402073ff3a7dddb8b82e84d419481d
Instruction ID: c2074287e695d44b88807d81ef8362fcd301c369dd62e3440cf0f4018af864f0
Opcode Fuzzy Hash: 1253a85fb23fe974578941fb111989e320402073ff3a7dddb8b82e84d419481d
Instruction Fuzzy Hash: DB515071A006199BDB10DAA9CC89ADF73BCEF48310F1445B7A604F7291E778AE408F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E538, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040E538() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				intOrPtr* _t6;
				int _t7;

				_t6 =  *0x412c7c; // 0x4127d8
				if( *_t6 != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x0040e53b
0x0040e543
0x0040e5a0
0x0040e5a4
0x0040e5ac
0x00000000
0x0040e5ae
0x0040e555
0x0040e567
0x0040e56c
0x0040e574
0x0040e58e
0x0040e59a
0x00000000
0x00000000
0x00000000
0x0040e59c
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0040E548
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040E54E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040E567
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E58E
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E593
ExitWindowsEx.USER32(00000002,00000000), ref: 0040E5A4

Strings

SeShutdownPrivilege, xrefs: 0040E560

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 73c640dd25bf0da1a066829e78cec9cf5526ed5c6ab4e34b88ea435bccd2a059
Instruction ID: ae4826e5ab51033c7cebb5d2f9562618bb8fce06cce608ca78d8d7bd7c41feda
Opcode Fuzzy Hash: 73c640dd25bf0da1a066829e78cec9cf5526ed5c6ab4e34b88ea435bccd2a059
Instruction Fuzzy Hash: DAF04F70255302BAE610AAA68C07F6B71885B40B0CF544C3AF641FA1C1F7BDD525866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE14, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EE14() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E0040EC58();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E0040EC58();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E0040EC58();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E0040EC58();
				}
				return _t12;
			}

0x0040ee23
0x0040ee27
0x0040ee29
0x0040ee29
0x0040ee39
0x0040ee3b
0x0040ee3b
0x0040ee48
0x0040ee4c
0x0040ee4e
0x0040ee4e
0x0040ee59
0x0040ee5d
0x0040ee5f
0x0040ee5f
0x0040ee67

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,00411893,00000000,00411E26,?,00000001,00000000,00000002,00000000,00411E7A,?,00000000,00411EBE), ref: 0040EE1E
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,00411893,00000000,00411E26,?,00000001,00000000,00000002,00000000,00411E7A), ref: 0040EE31
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,00411893,00000000,00411E26,?,00000001,00000000,00000002,00000000), ref: 0040EE43
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,00411893,00000000,00411E26,?,00000001,00000000,00000002), ref: 0040EE54

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: beedabd750f458dd06f1c9f94445ebe4908f2dd77a18a1ac7d15fc2b28cb6172
Instruction ID: 9a1a894cb87de906872dbc2c4e5ff6763d0dc0ebe58e3aebe34ffc217bd0bdf7
Opcode Fuzzy Hash: beedabd750f458dd06f1c9f94445ebe4908f2dd77a18a1ac7d15fc2b28cb6172
Instruction Fuzzy Hash: ECE09A8678934A25F51536F748CBB2A41485B2974EF01083FB705792C3DEBDCC78416E

Uniqueness

Uniqueness Score: -1.00%

Function 00411F58, Relevance: 2.8, Strings: 2, Instructions: 293COMMON

Download Yara Rule

Strings

A, xrefs: 004120C0
A, xrefs: 004120D0

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID: A$ A
API String ID: 0-2404408537
Opcode ID: 979ee2f7727c591672275b6296110ea1ebb55da3255c677bcececde647df1bbe
Instruction ID: 7457cedb5ed69cbb85cf4ddfb14236d121e793168b090cb16968c11044191fb3
Opcode Fuzzy Hash: 979ee2f7727c591672275b6296110ea1ebb55da3255c677bcececde647df1bbe
Instruction Fuzzy Hash: 3371CD6194E3D18FD7038B7898A9591BFB0AE1722831F81DBC4C5CF0A3D29D985AC727

Uniqueness

Uniqueness Score: -1.00%

Function 0041201D, Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

A, xrefs: 004120C0
A, xrefs: 004120D0

Memory Dump Source

Source File: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID: A$ A
API String ID: 0-2404408537
Opcode ID: b104b547a6a0701a4db06a7fec429990f97f188ffad9fae172f08b49ca1a5315
Instruction ID: 0c944cd2e51d3c0e4b9b3ce97cb674e24712e8e63dc22ac9038f9f9d20385346
Opcode Fuzzy Hash: b104b547a6a0701a4db06a7fec429990f97f188ffad9fae172f08b49ca1a5315
Instruction Fuzzy Hash: 7961BE6194E3D09FD7038B7498A95917FB0AE1722831F81DBC4C5CF0A3D29D985AC72B

Uniqueness

Uniqueness Score: -1.00%

Function 0040805C, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040805C(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, WCHAR* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				short _v24;
				signed int _v28;
				intOrPtr _v117;
				intOrPtr* _t28;
				WCHAR* _t29;
				int _t30;
				short _t35;
				intOrPtr _t38;
				WCHAR* _t43;
				intOrPtr* _t44;
				short _t53;
				short _t55;

				_t28 = __eax +  *__eax;
				 *_t28 =  *_t28 + _t28;
				 *__edx =  *__edx + __ebx;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				_v117 = _v117 + __edx;
				_push(__ebx);
				_t29 = _a8;
				if(_t29 == 0) {
					_t29 = 0;
				}
				_t30 = GetDiskFreeSpaceW(_t29,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t53 = _v24;
				_t35 = E004058EC(_v28, _t53, _v16, 0);
				_t43 = _a8;
				 *_t43 = _t35;
				_t43[2] = _t53;
				_t55 = _v24;
				_t38 = E004058EC(_v28, _t55, _v20, 0);
				_t44 = _a12;
				 *_t44 = _t38;
				 *(_t44 + 4) = _t55;
				return _t30;
			}

0x0040805c
0x0040805e
0x00408061
0x00408063
0x00408065
0x00408067
0x0040806e
0x0040806f
0x00408074
0x00408076
0x00408076
0x00408089
0x00408098
0x0040809b
0x004080a8
0x004080ab
0x004080b0
0x004080b3
0x004080b5
0x004080c2
0x004080c5
0x004080ca
0x004080cd
0x004080cf
0x004080d8

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 00408089

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 1b7c22238b0c46b284b2b107f6e5e28a964c48cdf51e692455e1591c4b1c28f1
Instruction ID: a068575fb17e70d0eb2dd941d71b6181fb06f7ad23ffcb3780b10a2596b4250a
Opcode Fuzzy Hash: 1b7c22238b0c46b284b2b107f6e5e28a964c48cdf51e692455e1591c4b1c28f1
Instruction Fuzzy Hash: C01112B5E05249AFCB01DFA9C8818EFBBF5EF89300B14C5AAE405EB251D6315E05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00408EB4, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00408EB4(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00404C98(_t10, _t18);
				}
				return E00404DD4(_t10, _t5 - 1,  &_v516, _t19);
			}

0x00408ebf
0x00408ec1
0x00408ed2
0x00408ed7
0x00408ed9
0x00000000
0x00408ef1
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00408ED2

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 246054f9c36c1f2196f49bbd947a24d2e959c1ac7231b52c9a5afb00355492ba
Instruction ID: efd930654affab819bb145c5b770efe1d407367608a80b1910e27d3113095914
Opcode Fuzzy Hash: 246054f9c36c1f2196f49bbd947a24d2e959c1ac7231b52c9a5afb00355492ba
Instruction Fuzzy Hash: B5E0927170021857E714A5998D869E7725C9B88300F00017FBA05E7383ED759D5043E9

Uniqueness

Uniqueness Score: -1.00%

Function 00408F00, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00408F00(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}

0x00408f03
0x00408f04
0x00408f1a
0x00408f22
0x00408f1c
0x00408f1c
0x00408f1c
0x00408f28

APIs

GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040A65C,00000000,0040A886,?,?,00000000,00000000), ref: 00408F13

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 94732180e3b9d4c1534f10bd835daa7b5d390fea32fce7ec4f8fcd00424c145c
Instruction ID: c1a5af872d8d8e0d8faaa3b155c0f045d42fbc39b27c6cde3df4525be18a7e6a
Opcode Fuzzy Hash: 94732180e3b9d4c1534f10bd835daa7b5d390fea32fce7ec4f8fcd00424c145c
Instruction Fuzzy Hash: 20D0A7B630922076E620916B7E45D7766DDCBC4772F10443FBA89D7281D674CC05D379

Uniqueness

Uniqueness Score: -1.00%

Function 0040E640, Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E640(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}

0x0040e656
0x0040e65d
0x00000000
0x0040e664
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,0040E73F), ref: 0040E656

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6308b6ad815ab94f5877452a5c18b2a5c5f0fe134cd48218108c47e1a222a2b6
Instruction ID: 61ad4570fdc9bd1f637c2ab62d59952224da12b932db04316d1523c8ac21b311
Opcode Fuzzy Hash: 6308b6ad815ab94f5877452a5c18b2a5c5f0fe134cd48218108c47e1a222a2b6
Instruction Fuzzy Hash: 2BD05BA1514308FAF900C1E66D42D7672DCD704728F500A27F614D61C1D567EE109225

Uniqueness

Uniqueness Score: -1.00%

Function 0041259C, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

&A, xrefs: 004126D0

Memory Dump Source

Source File: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID: &A
API String ID: 0-2212290781
Opcode ID: 0c1de60a467e1e6129b6f2d3ff0ed73219971deb1be5c98f5a1c1eb06499fddc
Instruction ID: 301b4dec1d5bbc155b22ff81198e2eeb1a72de7aecc26b96be1c397ffca95008
Opcode Fuzzy Hash: 0c1de60a467e1e6129b6f2d3ff0ed73219971deb1be5c98f5a1c1eb06499fddc
Instruction Fuzzy Hash: 4951DD6244E3C0AFD3274B3489751957FB0AE6B22476A01CFC4C5CF4B3DA6E099AC726

Uniqueness

Uniqueness Score: -1.00%

Function 0040D33C, Relevance: .5, Instructions: 545
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040D33C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E0040D094((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E0040D094(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E0040D244(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E0040D11C((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E0040D034( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E0040D160(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E0040D160(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E0040D094(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E0040D094(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E0040D094(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E0040D244(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E0040D094((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E0040D1A4(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E0040D1D0(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E0040CFF4( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}

0x0040d348
0x0040d34b
0x0040d34e
0x0040d359
0x0040d35c
0x0040d36d
0x0040d37e
0x0040d386
0x0040d38f
0x0040d395
0x0040d39b
0x0040d3a4
0x0040d3ad
0x0040d3b6
0x0040d3bf
0x0040d3c8
0x0040d3d1
0x0040d3da
0x0040d3e3
0x0040d3e9
0x0040d3f2
0x0040d3f8
0x0040d401
0x0040d40f
0x0040d415
0x0040d41b
0x00000000
0x0040d41d
0x0040d424
0x0040d428
0x0040d42d
0x0040d430
0x0040d43d
0x0040d43d
0x0040d440
0x0040d444
0x0040d4e5
0x0040d4ee
0x0040d523
0x0040d523
0x0040d527
0x00000000
0x00000000
0x0040d52c
0x0040d52f
0x0040d4f5
0x0040d4f7
0x0040d4fa
0x0040d4fc
0x0040d4fc
0x0040d4fc
0x0040d509
0x0040d50a
0x0040d510
0x0040d512
0x0040d515
0x0040d518
0x0040d519
0x0040d51c
0x0040d51e
0x0040d51e
0x0040d51e
0x0040d520
0x0040d520
0x0040d520
0x00000000
0x0040d520
0x00000000
0x0040d52f
0x0040d531
0x0040d533
0x0040d54b
0x0040d535
0x0040d53f
0x0040d53f
0x0040d550
0x0040d552
0x0040d555
0x0040d558
0x0040d558
0x0040d561
0x0040d567
0x0040d56a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d570
0x0040d570
0x0040d579
0x0040d57c
0x0040d580
0x00000000
0x00000000
0x0040d58a
0x0040d58e
0x0040d5b1
0x0040d5b6
0x0040d5b8
0x0040d691
0x0040d696
0x0040d697
0x0040d7d7
0x0040d7dd
0x0040d7e0
0x0040d7e3
0x0040d7e6
0x0040d7ef
0x0040d7e8
0x0040d7e8
0x0040d7e8
0x0040d7f4
0x0040d80c
0x0040d80f
0x0040d815
0x0040d819
0x0040d820
0x0040d81b
0x0040d81b
0x0040d81b
0x0040d83c
0x0040d83f
0x0040d843
0x0040d8bc
0x0040d845
0x0040d84b
0x0040d84e
0x0040d85a
0x0040d85c
0x0040d860
0x0040d896
0x0040d8b8
0x0040d862
0x0040d886
0x0040d886
0x0040d860
0x0040d8bf
0x0040d8bf
0x0040d8c0
0x0040d8cb
0x0040d8cb
0x0040d8cf
0x0040d8d2
0x0040d8e4
0x0040d8e7
0x0040d8f4
0x0040d8e9
0x0040d8ec
0x0040d8ec
0x0040d8f7
0x0040d8f9
0x0040d8fb
0x0040d8fe
0x0040d900
0x0040d900
0x0040d900
0x0040d909
0x0040d912
0x0040d915
0x0040d916
0x0040d919
0x0040d91b
0x0040d91b
0x0040d91b
0x0040d91d
0x0040d926
0x0040d928
0x0040d92b
0x0040d92e
0x0040d932
0x00000000
0x00000000
0x0040d937
0x0040d93a
0x00000000
0x00000000
0x00000000
0x0040d93a
0x0040d93c
0x0040d93f
0x0040d942
0x00000000
0x00000000
0x00000000
0x0040d942
0x00000000
0x0040d8c2
0x0040d8c2
0x00000000
0x0040d8c2
0x0040d8c0
0x0040d6af
0x0040d6b4
0x0040d6b6
0x0040d766
0x0040d768
0x0040d786
0x0040d788
0x0040d78f
0x0040d795
0x0040d78a
0x0040d78a
0x0040d78a
0x0040d79b
0x0040d76a
0x0040d76a
0x0040d76a
0x0040d79e
0x0040d7a1
0x0040d7a3
0x0040d7b9
0x0040d7bc
0x0040d7bf
0x0040d7c8
0x0040d7c1
0x0040d7c1
0x0040d7c1
0x0040d7cd
0x00000000
0x0040d7cd
0x0040d6dd
0x0040d6df
0x00000000
0x00000000
0x0040d6e5
0x0040d6e9
0x0040d6f5
0x0040d6f8
0x0040d701
0x0040d6fa
0x0040d6fa
0x0040d6fa
0x0040d706
0x0040d70a
0x0040d70c
0x0040d70f
0x0040d711
0x0040d711
0x0040d711
0x0040d71a
0x0040d723
0x0040d726
0x0040d727
0x0040d72a
0x0040d72c
0x0040d72c
0x0040d72c
0x0040d734
0x0040d736
0x0040d73c
0x0040d73f
0x0040d745
0x0040d745
0x00000000
0x0040d73f
0x00000000
0x0040d6eb
0x0040d5e8
0x0040d5ed
0x0040d5f0
0x0040d631
0x0040d5f2
0x0040d5f6
0x0040d5fc
0x0040d5ff
0x0040d604
0x0040d604
0x0040d604
0x0040d604
0x0040d610
0x0040d621
0x0040d621
0x0040d63a
0x0040d63c
0x0040d63f
0x0040d645
0x0040d648
0x0040d64a
0x0040d64a
0x0040d64a
0x0040d64a
0x0040d653
0x0040d656
0x0040d657
0x0040d65a
0x0040d65c
0x0040d65c
0x0040d65c
0x0040d65e
0x0040d661
0x0040d66a
0x0040d66d
0x0040d677
0x0040d66f
0x0040d66f
0x0040d66f
0x0040d663
0x0040d663
0x0040d663
0x00000000
0x0040d661
0x00000000
0x0040d590
0x00000000
0x0040d582
0x0040d948
0x0040d94e
0x0040d957
0x0040d95d
0x0040d969
0x0040d972
0x0040d978
0x0040d981
0x0040d98a
0x0040d993
0x0040d999
0x0040d9a2
0x0040d9ab
0x0040d9b7
0x0040d9c0
0x0040d9c9
0x0040d9cb
0x00000000
0x0040d9cb
0x0040d461
0x0040d464
0x0040d46c
0x0040d472
0x0040d475
0x0040d48e
0x0040d495
0x0040d498
0x0040d49b
0x0040d49e
0x0040d4a0
0x0040d4a5
0x0040d4a8
0x0040d4b0
0x0040d4b2
0x0040d4bd
0x0040d4c2
0x0040d4c6
0x00000000
0x0040d4c8
0x0040d4d0
0x0040d4d4
0x0040d4e0
0x0040d4e2
0x00000000
0x0040d4d6
0x00000000
0x0040d4d6
0x00000000
0x00000000
0x00000000
0x0040d477
0x0040d477
0x0040d47a
0x0040d47f
0x0040d482
0x0040d489
0x0040d489
0x00000000

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: a068efe37126c024b14c2b8cc3b836a628f8053012d03d8a2c3558ca0f700bcf
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: 2532D375E00219DFCB14CFD9C980AADBBB2BF88314F24816AD815BB395D734AE46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402260, Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E00402260(void* __eax, char* __edx) {
				char* _t103;

				_t103 = __edx;
				_t39 = __eax + 1;
				 *__edx = 0xffffffff89705f71;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = ((((((((((__eax + 0x00000001) * 0x89705f41 >> 0x00000020 & 0x1fffffff) + 0xfffffffe25c17d04 + (_t39 * 0x89705f41 >> 0x0000001e) & 0x0fffffff) + 0xfffffffe25c17d04 & 0x07ffffff) + 0xfffffffe25c17d04 & 0x03ffffff) + 0xfffffffe25c17d04 & 0x01ffffff) + 0xfffffffe25c17d04 & 0x00ffffff) + 0xfffffffe25c17d04 & 0x007fffff) + 0xfffffffe25c17d04 & 0x003fffff) + 0xfffffffe25c17d04 & 0x001fffff) + 0xfffffffe25c17d04 >> 0x00000014 | 0x00000030;
				_t37 = _t103 + 1; // 0x1
				return _t37;
			}

0x00402261
0x00402263
0x00402285
0x0040228c
0x0040229d
0x004022a8
0x004022b9
0x004022c4
0x004022d5
0x004022e0
0x004022f1
0x004022fc
0x0040230d
0x00402318
0x00402329
0x00402334
0x00402345
0x00402350
0x00402361
0x00402369
0x00402372
0x00402374
0x00402378

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 004096AC, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004096AC(long __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t16;
				char* _t18;
				intOrPtr _t20;
				intOrPtr _t22;
				intOrPtr _t31;
				intOrPtr _t55;
				intOrPtr _t56;
				int _t60;
				void* _t63;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t63);
				_push(0x4097d1);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t63 + 0xfffff778;
				_t60 = E004094C0(_t16, __ebx,  &_v2188, __edx, __edi, __esi, __fp0, 0x400);
				_t18 =  *0x412c2c; // 0x41304c
				if( *_t18 == 0) {
					_t20 =  *0x412b48; // 0x406b84
					_t12 = _t20 + 4; // 0xffe8
					_t22 =  *0x415b48; // 0x400000
					LoadStringW(E00405B90(_t22),  *_t12,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t31 =  *0x412b68; // 0x413324
					E00402F6C(E0040317C(_t31));
					WideCharToMultiByte(1, 0,  &_v2188, _t60, 0, 0, 0, 0);
					 *((intOrPtr*)(__ebx + 0x458d53d8)) =  *((intOrPtr*)(__ebx + 0x458d53d8)) - 1;
					asm("cld");
					E00405AD8();
					WideCharToMultiByte(1, 0,  &_v2188, _t60, _v8, __ebx, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, __ebx,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x4097ec, 2,  &_v12, 0);
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E004097D8);
				_t56 =  *0x409688; // 0x40968c
				return E00405AE4( &_v8, _t56);
			}

0x004096b5
0x004096b6
0x004096b9
0x004096be
0x004096bf
0x004096c4
0x004096c7
0x004096da
0x004096dc
0x004096e4
0x00409782
0x00409787
0x0040978b
0x00409796
0x004097b0
0x004096ea
0x004096ea
0x004096f4
0x0040970d
0x00409711
0x00409717
0x00409723
0x00409740
0x00409758
0x00409772
0x00409772
0x004097b7
0x004097ba
0x004097bd
0x004097c5
0x004097d0

APIs

Part of subcall function 004094C0: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040966C), ref: 004094F3
Part of subcall function 004094C0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00409517
Part of subcall function 004094C0: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00409532
Part of subcall function 004094C0: LoadStringW.USER32(00000000,0000FFE7,?,00000100), ref: 004095CD

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004097D1), ref: 0040970D
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409740
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409752
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409758
GetStdHandle.KERNEL32(000000F4,004097EC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0040976C
WriteFile.KERNEL32(00000000,000000F4,004097EC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00409772
LoadStringW.USER32(00000000,0000FFE8,?,00000040), ref: 00409796
MessageBoxW.USER32(00000000,?,?,00002010), ref: 004097B0

Strings

L0A, xrefs: 004096DC
$3A, xrefs: 004096EA

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: $3A$L0A
API String ID: 135118572-3383676211
Opcode ID: 6256b621ce2eaf9d39ea15f4150e8e09d1030e9b365cd881d9086c78bb695208
Instruction ID: d743ab820349e8adbd7c60ec5032b16471490a2e5750d79ad5bafee0f0e263d8
Opcode Fuzzy Hash: 6256b621ce2eaf9d39ea15f4150e8e09d1030e9b365cd881d9086c78bb695208
Instruction Fuzzy Hash: A3317572644204BFEB10EB65DC82FDA77BCEB08704F508176B605F71D2DA74AE508B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040969F, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040969F(void* __eax, long __ebx, void* __ecx, void* __edx, void* __edi, int __esi, void* __fp0, intOrPtr _a8) {
				void* _v4;
				long _v8;
				intOrPtr _v16;
				short _v140;
				char _v1564;
				char _v1636;
				short _v2184;
				short _v2188;
				char _v2196;
				intOrPtr* _t22;
				long _t44;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t58;
				int _t60;

				_t60 = __esi;
				_t44 = __ebx;
				_t22 = __eax + 1;
				 *_t22 =  *_t22 + __ecx;
				_push(__ebx);
				if( *_t22 >= 0) {
					L9:
					E00405AD8();
					WideCharToMultiByte(1, 0,  &_v2184, _t60, _v4, _t44, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v4, _t44,  &_v8, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x4097ec, 2,  &_v8, 0);
					goto L11;
				} else {
					_push(__ebp);
					if(__eflags == 0) {
						L8:
						 *((intOrPtr*)(__ebx + 0x458d53d8)) =  *((intOrPtr*)(__ebx + 0x458d53d8)) - 1;
						asm("cld");
						goto L9;
					} else {
						asm("insb");
						if(__eflags >= 0) {
							E00408290(_v4,  &_v1564, _a8, __fp0);
							E004080DC(_v4);
							_t58 = 4;
							 *[fs:eax] = _t58;
							_push(E00409673);
							return L00404C88( &_v1636);
						} else {
							asm("rcl byte [ebp-0x75], 0xec");
							_push(__ebp);
							__ebp = __esp;
							__esp = __esp + 0xfffff778;
							_push(__ebx);
							_push(__esi);
							__ecx = 0;
							_v16 = 0;
							__ecx = 0;
							_push(__ebp);
							_push(0x4097d1);
							_push( *[fs:ecx]);
							 *[fs:ecx] = __esp;
							__ecx =  &_v2196;
							__esi = __eax;
							__eax =  *0x412c2c; // 0x41304c
							__eflags =  *__eax;
							if( *__eax == 0) {
								__eax =  &_v140;
								__eax =  *0x412b48; // 0x406b84
								_t17 = __eax + 4; // 0xffe8
								__eax =  *_t17;
								__eax =  *0x415b48; // 0x400000
								 &_v140 =  &_v2188;
								__eax = MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
							} else {
								__eax =  *0x412b68; // 0x413324
								 &_v2188 = WideCharToMultiByte(1, 0,  &_v2188, __esi, 0, 0, 0, 0);
								goto L8;
							}
							L11:
							__eflags = 0;
							_pop(_t55);
							 *[fs:eax] = _t55;
							_push(E004097D8);
							_t56 =  *0x409688; // 0x40968c
							return E00405AE4( &_v4, _t56);
						}
					}
				}
			}

0x0040969f
0x0040969f
0x0040969f
0x004096a0
0x004096a2
0x004096a3
0x00409718
0x00409723
0x00409740
0x00409758
0x00409772
0x00000000
0x004096a5
0x004096a5
0x004096a6
0x00409711
0x00409711
0x00409717
0x00000000
0x004096a8
0x004096a8
0x004096a9
0x00409644
0x0040964c
0x00409655
0x00409658
0x0040965b
0x0040966b
0x004096ab
0x004096ab
0x004096ac
0x004096ad
0x004096af
0x004096b5
0x004096b6
0x004096b7
0x004096b9
0x004096bc
0x004096be
0x004096bf
0x004096c4
0x004096c7
0x004096cf
0x004096da
0x004096dc
0x004096e1
0x004096e4
0x0040977b
0x00409782
0x00409787
0x00409787
0x0040978b
0x004097a7
0x004097b0
0x004096ea
0x004096ea
0x0040970d
0x00000000
0x0040970d
0x004097b5
0x004097b5
0x004097b7
0x004097ba
0x004097bd
0x004097c5
0x004097d0
0x004097d0
0x004096a9
0x004096a6

APIs

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004097D1), ref: 0040970D
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409740
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409752
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409758
GetStdHandle.KERNEL32(000000F4,004097EC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0040976C
WriteFile.KERNEL32(00000000,000000F4,004097EC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00409772

Part of subcall function 004094C0: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040966C), ref: 004094F3
Part of subcall function 004094C0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00409517
Part of subcall function 004094C0: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00409532
Part of subcall function 004094C0: LoadStringW.USER32(00000000,0000FFE7,?,00000100), ref: 004095CD

LoadStringW.USER32(00000000,0000FFE8,?,00000040), ref: 00409796
MessageBoxW.USER32(00000000,?,?,00002010), ref: 004097B0

Strings

L0A, xrefs: 004096DC
$3A, xrefs: 004096EA

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: $3A$L0A
API String ID: 135118572-3383676211
Opcode ID: 59a5544e00e8df00c93c8ac2435b0a387c19da4843a0f052570015d5bc5b541a
Instruction ID: 9623f77fa857817c419b37d2b63328917fb83caa2a3adea5a2c34ff05e22799b
Opcode Fuzzy Hash: 59a5544e00e8df00c93c8ac2435b0a387c19da4843a0f052570015d5bc5b541a
Instruction Fuzzy Hash: 0331B272644204BFEB14EB61DC82F9A77BCDB44714F6041BAB601B71D2DAB96E408A68

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCB4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040BCB4(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x40bdae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E00406728(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					_t22 =  *0x412c7c; // 0x4127d8
					if( *_t22 != 2) {
						if(E0040BC8C(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E0040BC80();
							RegCloseKey(_v12);
						}
					} else {
						if(E0040BC8C(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E0040BC80();
							RegCloseKey(_v12);
						}
					}
					E00405058( &_v20, _v8, E0040BEC4);
					E004032EC(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040BDB5);
				L00404C88( &_v20);
				return L00404C88( &_v8);
			}

0x0040bcba
0x0040bcbd
0x0040bcc0
0x0040bcc5
0x0040bcc6
0x0040bccb
0x0040bcce
0x0040bce1
0x0040bce8
0x0040bcf3
0x0040bcfb
0x0040bd50
0x0040bd5d
0x0040bd66
0x0040bd66
0x0040bcfd
0x0040bd18
0x0040bd25
0x0040bd2e
0x0040bd2e
0x0040bd18
0x0040bd76
0x0040bd81
0x0040bd8c
0x0040bd8c
0x0040bcea
0x0040bcea
0x0040bcec
0x0040bd92
0x0040bd95
0x0040bd98
0x0040bda0
0x0040bdad

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0040BDAE), ref: 0040BCDB

Part of subcall function 00406728: GetProcAddress.KERNEL32(?,0040BDAE), ref: 0040674C

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0040BDAE), ref: 0040BD2E

Strings

.DEFAULT\Control Panel\International, xrefs: 0040BD05
kernel32.dll, xrefs: 0040BCD6
Control Panel\Desktop\ResourceLocale, xrefs: 0040BD3D
Locale, xrefs: 0040BD1D
GetUserDefaultUILanguage, xrefs: 0040BCD1

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: ff68f8bc8c37020399e68e1f56bafd439613cb074afb5eacf4222545351c9975
Instruction ID: 8956addf40242155cfdb2216673929f7d9524eb236bbacd825fdfe017c78867f
Opcode Fuzzy Hash: ff68f8bc8c37020399e68e1f56bafd439613cb074afb5eacf4222545351c9975
Instruction Fuzzy Hash: 6D212330604209ABEB10EAA5CC52BDEB7A9EF44304F61447BA500F76D1EB7C9E4587DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5A8, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203
threadCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040A5A8(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t135;
				intOrPtr _t187;
				intOrPtr _t197;
				intOrPtr _t198;

				_t195 = __esi;
				_t194 = __edi;
				_t197 = _t198;
				_t135 = 8;
				do {
					_push(0);
					_push(0);
					_t135 = _t135 - 1;
				} while (_t135 != 0);
				_push(__ebx);
				_push(_t197);
				_push(0x40a886);
				_push( *[fs:eax]);
				 *[fs:eax] = _t198;
				E0040A4F0();
				E00408F68(__ebx, __edi, __esi);
				_t200 =  *0x415c3c;
				if( *0x415c3c != 0) {
					E00409140(__esi, _t200);
				}
				_t134 = GetThreadLocale();
				E00408EB4(_t43, 0, 0x14,  &_v20);
				E00404C98(0x415b6c, _v20);
				E00408EB4(_t43, 0x40a8a0, 0x1b,  &_v24);
				 *0x415b70 = E00407F10(0x40a8a0, 0, _t200);
				E00408EB4(_t134, 0x40a8a0, 0x1c,  &_v28);
				 *0x415b71 = E00407F10(0x40a8a0, 0, _t200);
				 *0x415b72 = E00408F00(_t134, 0x2c, 0xf);
				 *0x415b74 = E00408F00(_t134, 0x2e, 0xe);
				E00408EB4(_t134, 0x40a8a0, 0x19,  &_v32);
				 *0x415b76 = E00407F10(0x40a8a0, 0, _t200);
				 *0x415b78 = E00408F00(_t134, 0x2f, 0x1d);
				E00408EB4(_t134, L"m/d/yy", 0x1f,  &_v40);
				E004091F4(_v40, _t134,  &_v36, _t194, _t195, _t200);
				E00404C98(0x415b7c, _v36);
				E00408EB4(_t134, L"mmmm d, yyyy", 0x20,  &_v48);
				E004091F4(_v48, _t134,  &_v44, _t194, _t195, _t200);
				E00404C98(0x415b80, _v44);
				 *0x415b84 = E00408F00(_t134, 0x3a, 0x1e);
				E00408EB4(_t134, 0x40a8f4, 0x28,  &_v52);
				E00404C98(0x415b88, _v52);
				E00408EB4(_t134, 0x40a908, 0x29,  &_v56);
				E00404C98(0x415b8c, _v56);
				E00404CEC( &_v12, 0);
				E00404CEC( &_v16, 0);
				E00408EB4(_t134, 0x40a8a0, 0x25,  &_v60);
				_t104 = E00407F10(0x40a8a0, 0, _t200);
				_t201 = _t104;
				if(_t104 != 0) {
					E00404CEC( &_v8, 0x40a92c);
				} else {
					E00404CEC( &_v8, 0x40a91c);
				}
				E00408EB4(_t134, 0x40a8a0, 0x23,  &_v64);
				_t111 = E00407F10(0x40a8a0, 0, _t201);
				_t202 = _t111;
				if(_t111 == 0) {
					E00408EB4(_t134, 0x40a8a0, 0x1005,  &_v68);
					if(E00407F10(0x40a8a0, 0, _t202) != 0) {
						E00404CEC( &_v12, L"AMPM ");
					} else {
						E00404CEC( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E0040513C(0x415b90, 4, _t194);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E0040513C(0x415b94, 4, _t194);
				 *0x415c3e = E00408F00(_t134, 0x2c, 0xc);
				_pop(_t187);
				 *[fs:eax] = _t187;
				_push(E0040A88D);
				return L00404C90( &_v68, 0x10);
			}

0x0040a5a8
0x0040a5a8
0x0040a5a9
0x0040a5ab
0x0040a5b0
0x0040a5b0
0x0040a5b2
0x0040a5b4
0x0040a5b4
0x0040a5b7
0x0040a5ba
0x0040a5bb
0x0040a5c0
0x0040a5c3
0x0040a5c6
0x0040a5cb
0x0040a5d0
0x0040a5d7
0x0040a5d9
0x0040a5d9
0x0040a5e3
0x0040a5f2
0x0040a5ff
0x0040a614
0x0040a623
0x0040a638
0x0040a647
0x0040a65c
0x0040a672
0x0040a688
0x0040a697
0x0040a6ac
0x0040a6c2
0x0040a6cd
0x0040a6da
0x0040a6ef
0x0040a6fa
0x0040a707
0x0040a71c
0x0040a732
0x0040a73f
0x0040a754
0x0040a761
0x0040a76b
0x0040a775
0x0040a78a
0x0040a794
0x0040a799
0x0040a79b
0x0040a7b4
0x0040a79d
0x0040a7a5
0x0040a7a5
0x0040a7c9
0x0040a7d3
0x0040a7d8
0x0040a7da
0x0040a7ec
0x0040a7fd
0x0040a816
0x0040a7ff
0x0040a807
0x0040a807
0x0040a7fd
0x0040a81b
0x0040a81e
0x0040a821
0x0040a826
0x0040a833
0x0040a838
0x0040a83b
0x0040a83e
0x0040a843
0x0040a850
0x0040a865
0x0040a86d
0x0040a870
0x0040a873
0x0040a885

APIs

GetThreadLocale.KERNEL32(00000000,0040A886,?,?,00000000,00000000), ref: 0040A5DE

Part of subcall function 00408EB4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00408ED2

Strings

:mm:ss, xrefs: 0040A83E
mmmm d, yyyy, xrefs: 0040A6E3
:mm, xrefs: 0040A821
m/d/yy, xrefs: 0040A6B6
AMPM , xrefs: 0040A811
AMPM, xrefs: 0040A802

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 8a50f68389ff190409cc6e1354995ac59f3095b9dfab6b774593af29b2008bc8
Instruction ID: 937fad03d119ad446409e4fc6370febcefa1a0408b23a60a3ce11da87fe3f1e8
Opcode Fuzzy Hash: 8a50f68389ff190409cc6e1354995ac59f3095b9dfab6b774593af29b2008bc8
Instruction Fuzzy Hash: 01710A75B042499BDB00EBA5D841ADF7266ABC8308F51D43BB201BB3C6DA3CDD16879D

Uniqueness

Uniqueness Score: -1.00%

Function 004044F0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004044F0(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x41304c == 0) {
					if( *0x412028 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x413328 == 0xd7b2 &&  *0x413330 > 0) {
						 *0x413340();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E0040457C, 2,  &_v4, 0);
				}
			}

0x004044f8
0x00404558
0x00404568
0x00404568
0x0040456e
0x004044fa
0x00404503
0x00404513
0x00404513
0x0040452f
0x00404550
0x00404550

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000,?), ref: 00404529
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?,?,00000001,004046B6,00402F13,00402F5A,00000000), ref: 0040452F
GetStdHandle.KERNEL32(000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 00404544
WriteFile.KERNEL32(00000000,000000F5,0040457C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004045A1,?,?), ref: 0040454A
MessageBoxA.USER32 ref: 00404568

Strings

Error, xrefs: 0040455C
Runtime error at 00000000, xrefs: 00404522, 00404561

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 702207360e6f67392dae8c09e50a71dce199e074f7270a58720f1a5ddd4bdc6b
Instruction ID: fdc5a69791f8b721a84368f61c8a4f4698a1174428d9f6e56fc121f1a8fce5d1
Opcode Fuzzy Hash: 702207360e6f67392dae8c09e50a71dce199e074f7270a58720f1a5ddd4bdc6b
Instruction Fuzzy Hash: 8CF02BF0A8038479E620B7609D06FD626880384F1AFA0823BB370F54E6C6FC45C4C62D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E74, Relevance: 10.9, APIs: 7, Instructions: 407
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401E74(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t180;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				void* _t206;
				unsigned int _t208;
				intOrPtr _t214;
				void* _t226;
				intOrPtr _t228;
				void* _t229;
				signed int _t231;
				void* _t233;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				signed int _t242;
				void* _t244;
				intOrPtr* _t245;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t218 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t218);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t226);
							_t245 = _t244 + 0xffffffe0;
							_t219 = __edx;
							_t203 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (_t69 & 0xfffffff0) - 0x14;
							if(_t148 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E004018F8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t219 - 0x40a2c;
										if(_t219 > 0x40a2c) {
											_t78 = _t203 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t219;
										}
										E004014BC(_t203, _t219, _t150);
										E00401C7C(_t203, _t203, _t226);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								_t180 = (_t148 >> 2) + _t148;
								if(_t180 <= __edx) {
									_t228 = __edx;
								} else {
									_t228 = _t180;
								}
								 *_t245 = _t203 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t245 + 8), _t245 + 8, 0x1c);
								if( *((intOrPtr*)(_t245 + 0x14)) != 0x10000) {
									L12:
									_t150 = E004018F8(_t228);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t228 - 0x40a2c;
										if(_t228 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t219;
										}
										E0040148C(_t203,  *((intOrPtr*)(_t203 - 0x10 + 8)), _t150);
										E00401C7C(_t203, _t203, _t228);
									}
								} else {
									 *(_t245 + 0x10) =  *(_t245 + 0x10) & 0xffff0000;
									_t94 =  *(_t245 + 0x10);
									if(_t219 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t228 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t245 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t245 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t203 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t219;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t203;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t206 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t226);
						if(__edx > _t171) {
							_t102 =  *(_t206 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t229 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t208 = _t171;
								_t109 = E004018F8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t193 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t229 - 0x40a2c;
									if(_t229 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t193;
									}
									_t231 = _t109;
									E0040148C(_t218, _t208, _t109);
									E00401C7C(_t218, _t208, _t231);
									return _t231;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t233 = _t171 + _t115;
								__eflags = __edx - _t233;
								if(__edx > _t233) {
									goto L75;
								} else {
									__eflags =  *0x41304d;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E004014D8(_t206);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t196 = _t233 + 4 - _t123;
										__eflags = _t196;
										if(_t196 > 0) {
											 *(_t218 + _t233 - 4) = _t196;
											 *((intOrPtr*)(_t218 - 4 + _t123)) = _t196 + 3;
											_t234 = _t123;
											__eflags = _t196 - 0xb30;
											if(_t196 >= 0xb30) {
												__eflags = _t123 + _t218;
												E00401518(_t123 + _t218, _t171, _t196);
											}
										} else {
											 *(_t218 + _t233) =  *(_t218 + _t233) & 0xfffffff7;
											_t234 = _t233 + 4;
										}
										_t235 = _t234 | _t156;
										__eflags = _t235;
										 *(_t218 - 4) = _t235;
										 *0x413a34 = 0;
										_t109 = _t218;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x413a34], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4138d5;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x413a34], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t218 - 4);
										_t129 =  *(_t206 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x413a34 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t233 = _t171 + _t115;
											__eflags = _t176 - _t233;
											if(_t176 > _t233) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t239 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t239;
									__eflags =  *0x41304d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x413a34], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4138d5;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x413a34], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t218 - 4);
										__eflags = 0xf;
									}
									 *(_t218 - 4) = _t156 | _t239;
									_t161 = _t174;
									_t197 =  *(_t206 - 4);
									__eflags = _t197 & 0x00000001;
									if((_t197 & 0x00000001) != 0) {
										_t131 = _t206;
										_t198 = _t197 & 0xfffffff0;
										_t161 = _t161 + _t198;
										_t206 = _t206 + _t198;
										__eflags = _t198 - 0xb30;
										if(_t198 >= 0xb30) {
											E004014D8(_t131);
										}
									} else {
										 *(_t206 - 4) = _t197 | 0x00000008;
									}
									 *((intOrPtr*)(_t206 - 8)) = _t161;
									 *((intOrPtr*)(_t218 + _t239 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00401518(_t218 + _t239, _t174, _t161);
									}
									 *0x413a34 = 0;
									return _t218;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t214 = __edx;
										_t140 = E004018F8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t242 = _t140;
											E004014BC(_t218, _t214, _t140);
											E00401C7C(_t218, _t214, _t242);
											_t140 = _t242;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E004018F8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E00401C7C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E004018F8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E00401C7C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00401e74
0x00401e74
0x00401e74
0x00401e7c
0x00401e7e
0x00401f0c
0x00401f0f
0x0040217c
0x0040217d
0x0040217e
0x00402181
0x004017ac
0x004017ad
0x004017ae
0x004017af
0x004017b0
0x004017b3
0x004017b5
0x004017bc
0x004017c3
0x004017c8
0x004018b1
0x004018b3
0x004018c6
0x004018c8
0x004018ca
0x004018cc
0x004018d2
0x004018d6
0x004018d6
0x004018d9
0x004018d9
0x004018e2
0x004018e9
0x004018e9
0x004018b5
0x004018b5
0x004018ba
0x004018ba
0x004017ce
0x004017d3
0x004017d7
0x004017dd
0x004017d9
0x004017d9
0x004017d9
0x004017e9
0x004017f8
0x00401805
0x00401877
0x0040187e
0x00401880
0x00401882
0x00401884
0x0040188a
0x0040188e
0x0040188e
0x00401891
0x00401891
0x004018a1
0x004018a8
0x004018a8
0x00401807
0x00401807
0x00401813
0x00401819
0x00000000
0x0040181b
0x0040182c
0x00401830
0x00401832
0x00401832
0x00401848
0x00000000
0x00401860
0x00401862
0x00401865
0x00401870
0x00401873
0x00401873
0x00401848
0x00401819
0x00401805
0x004018f7
0x00402187
0x00402187
0x00402189
0x00402189
0x00401f15
0x00401f17
0x00401f1a
0x00401f1b
0x00401f1e
0x00401f21
0x00401f24
0x00401f26
0x00401f27
0x0040203c
0x0040203f
0x00402041
0x00402134
0x0040213f
0x00402146
0x00402148
0x0040214b
0x00402150
0x00402151
0x00402153
0x00000000
0x00402155
0x00402155
0x0040215b
0x0040215d
0x0040215d
0x00402160
0x00402168
0x0040216f
0x0040217a
0x0040217a
0x00402047
0x00402047
0x0040204a
0x0040204d
0x0040204f
0x00000000
0x00402055
0x00402055
0x0040205c
0x004020b9
0x004020b9
0x004020be
0x004020c4
0x004020c9
0x004020ca
0x004020ca
0x004020d6
0x004020e7
0x004020ed
0x004020ed
0x004020ef
0x004020fc
0x00402103
0x00402107
0x00402109
0x0040210f
0x00402111
0x00402113
0x00402113
0x004020f1
0x004020f1
0x004020f5
0x004020f5
0x00402118
0x00402118
0x0040211a
0x0040211d
0x00402124
0x00402126
0x0040212a
0x0040205e
0x0040205e
0x00402063
0x0040206b
0x00000000
0x00000000
0x0040206d
0x0040206f
0x00402076
0x00000000
0x00402078
0x0040207c
0x00402081
0x00402082
0x00402088
0x00402090
0x00402096
0x0040209b
0x0040209c
0x00000000
0x0040209c
0x00402090
0x00000000
0x00402076
0x004020a5
0x004020a8
0x004020ab
0x004020ad
0x0040212d
0x0040212d
0x00000000
0x004020af
0x004020af
0x004020b2
0x004020b5
0x004020b7
0x00000000
0x00000000
0x00000000
0x00000000
0x004020b7
0x004020ad
0x0040205c
0x0040204f
0x00401f2d
0x00401f30
0x00401f32
0x00401f3c
0x00401f42
0x00401f59
0x00401f59
0x00401f65
0x00401f6b
0x00401f6d
0x00401f74
0x00401f76
0x00401f7b
0x00401f83
0x00000000
0x00000000
0x00401f85
0x00401f87
0x00401f8e
0x00000000
0x00401f90
0x00401f93
0x00401f98
0x00401f9e
0x00401fa6
0x00401fab
0x00401fb0
0x00000000
0x00401fb0
0x00401fa6
0x00000000
0x00401f8e
0x00401fb9
0x00401fb9
0x00401fb9
0x00401fbe
0x00401fc1
0x00401fc3
0x00401fc6
0x00401fc9
0x00401fd4
0x00401fd6
0x00401fd9
0x00401fdb
0x00401fdd
0x00401fe3
0x00401fe5
0x00401fe5
0x00401fcb
0x00401fce
0x00401fce
0x00401fea
0x00401ff0
0x00401ff4
0x00401ffa
0x00402001
0x00402001
0x00402006
0x00402013
0x00401f44
0x00401f44
0x00401f4a
0x00402014
0x00402018
0x0040201d
0x0040201f
0x00402021
0x00402029
0x00402030
0x00402035
0x00402035
0x0040203b
0x00401f50
0x00401f50
0x00401f55
0x00401f57
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f57
0x00401f4a
0x00401f34
0x00401f34
0x00401f38
0x00401f38
0x00401f32
0x00401f27
0x00401e84
0x00401e84
0x00401e86
0x00401e8a
0x00401e8d
0x00401e8f
0x00401ec8
0x00401ecc
0x00401ecd
0x00401ecf
0x00401ed1
0x00401ed3
0x00401ed6
0x00401ed8
0x00401eda
0x00401edf
0x00401ee1
0x00401ee3
0x00401ee9
0x00401eeb
0x00401eeb
0x00401ef2
0x00401ef2
0x00401ef5
0x00401ef7
0x00401f00
0x00401f05
0x00401f05
0x00401f07
0x00401f08
0x00401f09
0x00401f0a
0x00401e91
0x00401e91
0x00401e98
0x00401e9a
0x00401ea0
0x00401ea2
0x00401ea4
0x00401ea9
0x00401eab
0x00401ead
0x00401eaf
0x00401eb1
0x00401ebc
0x00401ec1
0x00401ec1
0x00401ec3
0x00401ec4
0x00401ec5
0x00401e9c
0x00401e9c
0x00401e9d
0x00401e9e
0x00401e9e
0x00401e9a
0x00401e8f

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f575fe0f9ab75cd77064c69f6d0118a98c1029f4734138360c475f3ddc3b2d0
Instruction ID: e7aaafa73fe3aa34f17de89ed5c93537a6fc3e5f890846df0dd0d21288fe1d67
Opcode Fuzzy Hash: 5f575fe0f9ab75cd77064c69f6d0118a98c1029f4734138360c475f3ddc3b2d0
Instruction Fuzzy Hash: 54C102767002010BE714AA6DDD8976EB2C69BC5325F18823FE214EB3E6DABCC9458348

Uniqueness

Uniqueness Score: -1.00%

Function 004027B8, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 277
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004027B8(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				signed short* _v112676;
				void* _v112680;
				char _v129064;
				char _v131113;
				char _v161832;
				void* _t70;
				int _t76;
				intOrPtr _t79;
				intOrPtr _t90;
				CHAR* _t94;
				intOrPtr _t96;
				void* _t106;
				intOrPtr _t107;
				intOrPtr _t113;
				intOrPtr _t118;
				void* _t128;
				intOrPtr _t129;
				intOrPtr _t133;
				signed int _t143;
				int _t148;
				intOrPtr _t149;
				char* _t151;
				char* _t152;
				char* _t153;
				char* _t154;
				char* _t155;
				char* _t156;
				char* _t158;
				char* _t159;
				char* _t164;
				char* _t165;
				intOrPtr _t197;
				void* _t199;
				void* _t200;
				intOrPtr* _t203;
				void* _t205;
				void* _t206;
				signed int _t211;
				void* _t214;
				void* _t215;
				void* _t228;

				_push(__eax);
				_t70 = 0x27;
				goto L1;
				L12:
				while(_t197 != 0x413a24) {
					_t76 = E004021E4(_t197);
					_t148 = _t76;
					__eflags = _t148;
					if(_t148 == 0) {
						L11:
						_t20 = _t197 + 4; // 0x413a24
						_t197 =  *_t20;
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t211 =  *(_t148 - 4);
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							__eflags = _t211 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t211 & 0xfffffff0) - 4;
									_t143 = E004025A0(_t148);
									__eflags = _t143;
									if(_t143 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t214 + _v112652 * 4 - 0x1f824)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E004025F8(_t148, __eflags, _t214);
							}
						}
						_t76 = E004021C0(_t148);
						_t148 = _t76;
						__eflags = _t148;
					} while (_t148 != 0);
					goto L11;
				}
				_t149 =  *0x415acc; // 0x415ac8
				while(_t149 != 0x415ac8 && _v112652 < 0x1000) {
					_t76 = E004025A0(_t149 + 0x10);
					__eflags = _t76;
					if(_t76 == 0) {
						_v112645 = 0;
						_t22 = _t149 + 0xc; // 0x0
						_t76 = _v112652;
						 *((intOrPtr*)(_t214 + _t76 * 4 - 0x1f824)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t149 + 4; // 0x415ac8
					_t149 =  *_t29;
				}
				if(_v112645 != 0) {
					L50:
					return _t76;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t79 =  *0x412038; // 0x40126c
				_t151 = E0040237C(E00404914(_t79),  &_v161832);
				_v112660 = 0x37;
				_v112676 = 0x41205e;
				_v112680 =  &_v110600;
				do {
					_v112672 = ( *_v112676 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t199 = 0xff;
					_t203 = _v112680;
					while(_t151 <=  &_v131113) {
						if( *_t203 > 0) {
							if(_v112653 == 0) {
								_t133 =  *0x41203c; // 0x401298
								_t151 = E0040237C(E00404914(_t133), _t151);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t151 = 0x2c;
								_t156 = _t151 + 1;
								 *_t156 = 0x20;
								_t157 = _t156 + 1;
								__eflags = _t156 + 1;
							} else {
								 *_t151 = 0xd;
								 *((char*)(_t151 + 1)) = 0xa;
								_t164 = E00402260(_v112668 + 1, _t151 + 2);
								 *_t164 = 0x20;
								_t165 = _t164 + 1;
								 *_t165 = 0x2d;
								 *((char*)(_t165 + 1)) = 0x20;
								_t128 = E00402260(_v112672, _t165 + 2);
								_t129 =  *0x412044; // 0x401300
								_t157 = E0040237C(E00404914(_t129), _t128);
								_v112654 = 1;
							}
							_t106 = _t199 - 1;
							_t228 = _t106;
							if(_t228 < 0) {
								_t107 =  *0x412048; // 0x40130c
								_t158 = E0040237C(E00404914(_t107), _t157);
							} else {
								if(_t228 == 0) {
									_t113 =  *0x41204c; // 0x401314
									_t158 = E0040237C(E00404914(_t113), _t157);
								} else {
									if(_t106 == 1) {
										_t118 =  *0x412050; // 0x401320
										_t158 = E0040237C(E00404914(_t118), _t157);
									} else {
										_t158 = E00402394( *((intOrPtr*)(_t203 - 4)), _t157);
									}
								}
							}
							 *_t158 = 0x20;
							_t159 = _t158 + 1;
							 *_t159 = 0x78;
							 *((char*)(_t159 + 1)) = 0x20;
							_t151 = E00402260( *_t203, _t159 + 2);
						}
						_t199 = _t199 - 1;
						_t203 = _t203 - 8;
						if(_t199 != 0xffffffff) {
							continue;
						} else {
							goto L39;
						}
					}
					L39:
					_v112668 = _v112672;
					_v112680 = _v112680 + 0x800;
					_v112676 =  &(_v112676[0x10]);
					_t57 =  &_v112660;
					 *_t57 = _v112660 - 1;
				} while ( *_t57 != 0);
				if(_v112652 <= 0) {
					L49:
					_t90 =  *0x412054; // 0x401330
					E0040237C(E00404914(_t90), _t151);
					_t94 =  *0x412058; // 0x401334
					_t76 = MessageBoxA(0,  &_v161832, _t94, 0x2010);
					goto L50;
				}
				if(_v112653 != 0) {
					 *_t151 = 0xd;
					_t153 = _t151 + 1;
					 *_t153 = 0xa;
					_t154 = _t153 + 1;
					 *_t154 = 0xd;
					_t155 = _t154 + 1;
					 *_t155 = 0xa;
					_t151 = _t155 + 1;
				}
				_t96 =  *0x412040; // 0x4012c0
				_t151 = E0040237C(E00404914(_t96), _t151);
				_t205 = _v112652 - 1;
				if(_t205 >= 0) {
					_t206 = _t205 + 1;
					_t200 = 0;
					_v112680 =  &_v129064;
					L45:
					L45:
					if(_t200 != 0) {
						 *_t151 = 0x2c;
						_t152 = _t151 + 1;
						 *_t152 = 0x20;
						_t151 = _t152 + 1;
					}
					_t151 = E00402260( *_v112680, _t151);
					if(_t151 >  &_v131113) {
						goto L49;
					}
					_t200 = _t200 + 1;
					_v112680 = _v112680 + 4;
					_t206 = _t206 - 1;
					if(_t206 != 0) {
						goto L45;
					}
				}
				L1:
				_t215 = _t215 + 0xfffff004;
				_push(_t70);
				_t70 = _t70 - 1;
				if(_t70 != 0) {
					goto L1;
				} else {
					E00403250( &_v112644, 0x1b800);
					E00403250( &_v129064, 0x4000);
					_t76 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t197 =  *0x413a28; // 0x413a24
					goto L12;
				}
			}

0x004027bb
0x004027bc
0x004027bc
0x00000000
0x00402897
0x00402817
0x0040281c
0x0040281e
0x00402820
0x00402894
0x00402894
0x00402894
0x00000000
0x00000000
0x00000000
0x00000000
0x00402822
0x00402822
0x00402827
0x00402829
0x0040282f
0x00402831
0x00402837
0x00402844
0x0040284e
0x00402856
0x0040285e
0x00402863
0x00402865
0x00402867
0x0040287a
0x00402881
0x00402881
0x00402881
0x00402881
0x00402865
0x00402839
0x0040283c
0x00402841
0x00402837
0x00402889
0x0040288e
0x00402890
0x00402890
0x00000000
0x00402822
0x004028a3
0x004028e2
0x004028b0
0x004028b5
0x004028b7
0x004028b9
0x004028c0
0x004028cc
0x004028d2
0x004028d9
0x004028d9
0x004028d9
0x004028d9
0x004028df
0x004028df
0x004028df
0x004028fd
0x00402b92
0x00402b98
0x00402b98
0x00402903
0x0040290c
0x00402912
0x0040292e
0x00402930
0x0040293a
0x0040294a
0x00402950
0x0040295c
0x00402962
0x00402969
0x00402974
0x00402976
0x00402987
0x00402994
0x00402996
0x004029ae
0x004029b0
0x004029b0
0x004029be
0x00402a16
0x00402a19
0x00402a1a
0x00402a1d
0x00402a1d
0x004029c0
0x004029c0
0x004029c4
0x004029d6
0x004029d8
0x004029db
0x004029dc
0x004029e0
0x004029ec
0x004029f3
0x00402a0b
0x00402a0d
0x00402a0d
0x00402a20
0x00402a20
0x00402a23
0x00402a2c
0x00402a44
0x00402a25
0x00402a25
0x00402a48
0x00402a60
0x00402a27
0x00402a28
0x00402a64
0x00402a7c
0x00402a2a
0x00402a8a
0x00402a8a
0x00402a28
0x00402a25
0x00402a8c
0x00402a8f
0x00402a90
0x00402a94
0x00402aa1
0x00402aa1
0x00402aa3
0x00402aa4
0x00402aaa
0x00000000
0x00000000
0x00000000
0x00000000
0x00402aaa
0x00402ab0
0x00402ab6
0x00402abc
0x00402ac6
0x00402acd
0x00402acd
0x00402acd
0x00402ae0
0x00402b61
0x00402b61
0x00402b74
0x00402b7e
0x00402b8d
0x00000000
0x00402b8d
0x00402ae9
0x00402aeb
0x00402aee
0x00402aef
0x00402af2
0x00402af3
0x00402af6
0x00402af7
0x00402afa
0x00402afa
0x00402afb
0x00402b13
0x00402b1b
0x00402b1e
0x00402b20
0x00402b21
0x00402b29
0x00000000
0x00402b2f
0x00402b31
0x00402b33
0x00402b36
0x00402b37
0x00402b3a
0x00402b3a
0x00402b4a
0x00402b54
0x00000000
0x00000000
0x00402b56
0x00402b57
0x00402b5e
0x00402b5f
0x00000000
0x00000000
0x00402b5f
0x004027c1
0x004027c1
0x004027c7
0x004027c8
0x004027c9
0x00000000
0x004027cb
0x004027e4
0x004027f6
0x004027fb
0x004027fd
0x00402803
0x0040280a
0x00000000
0x0040280a

APIs

MessageBoxA.USER32 ref: 00402B8D

Strings

7, xrefs: 00402930
$:A, xrefs: 0040280A
$:A, xrefs: 00402897
, xrefs: 00402AC6

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Message
String ID: $$:A$$:A$7
API String ID: 2030045667-2368080441
Opcode ID: 4013aa1c4d508e0f21f628e91fd2f66dd9b67919b6327f81295100d5b103fb88
Instruction ID: 5e81d980581d028b30a088fdd03a9cb8372552a81488182f994bcd5140d075e0
Opcode Fuzzy Hash: 4013aa1c4d508e0f21f628e91fd2f66dd9b67919b6327f81295100d5b103fb88
Instruction Fuzzy Hash: A9B1C430B002548BCB21EB2DCE88B9977E4AB4D344F1481F6E548E73D2DBB89D85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004094C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004094C0(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				struct HINSTANCE__* _t44;
				intOrPtr _t55;
				struct HINSTANCE__* _t57;
				signed int _t76;
				long _t79;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;
				void* _t113;

				_t113 = __fp0;
				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x40966c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000) {
					L2:
					_t44 =  *0x415b48; // 0x400000
					GetModuleFileNameW(_t44,  &_v1056, 0x105);
					_v12 = E004094B4(_t82);
				} else {
					_t79 = GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105);
					_t108 = _t79;
					if(_t79 != 0) {
						_t85 = _t82 - _v1596.AllocationBase;
						__eflags = _t85;
						_v12 = _t85;
					} else {
						goto L2;
					}
				}
				E00408128( &_v534, 0x104, E0040A48C() + 2, _t108);
				_t83 = 0x409680;
				_t100 = 0x409680;
				_t95 =  *0x406d5c; // 0x406db4
				if(E0040392C(_t102, _t95) != 0) {
					_t83 = E00404D24( *((intOrPtr*)(_t102 + 4)));
					_t76 = E004080DC(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x409684;
					}
				}
				_t55 =  *0x412c70; // 0x406b7c
				_t18 = _t55 + 4; // 0xffe7
				_t57 =  *0x415b48; // 0x400000
				LoadStringW(E00405B90(_t57),  *_t18,  &_v1568, 0x100);
				E00403814( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				_push( &_v1636);
				E00408290(_v8,  &_v1568, _a4, _t113);
				E004080DC(_v8);
				_t98 = 4;
				 *[fs:eax] = _t98;
				_push(E00409673);
				return L00404C88( &_v1640);
			}

0x004094c0
0x004094ce
0x004094d4
0x004094d7
0x004094d9
0x004094dd
0x004094de
0x004094e3
0x004094e6
0x004094f3
0x00409502
0x00409520
0x0040952c
0x00409532
0x0040953e
0x00409504
0x00409517
0x0040951c
0x0040951e
0x00409543
0x00409543
0x00409549
0x00000000
0x00000000
0x00000000
0x0040951e
0x0040956b
0x00409570
0x00409575
0x0040957c
0x00409589
0x00409593
0x00409597
0x0040959e
0x004095a8
0x004095a8
0x0040959e
0x004095b9
0x004095be
0x004095c2
0x004095cd
0x004095da
0x004095e5
0x004095eb
0x004095f8
0x004095fe
0x00409608
0x0040960e
0x00409615
0x0040961b
0x00409622
0x00409628
0x00409635
0x00409644
0x0040964c
0x00409655
0x00409658
0x0040965b
0x0040966b

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040966C), ref: 004094F3
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00409517
GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00409532
LoadStringW.USER32(00000000,0000FFE7,?,00000100), ref: 004095CD

Strings

|k@, xrefs: 004095B9

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: |k@
API String ID: 3990497365-1384102874
Opcode ID: 6f085f8ec88251c6b4d6bed15921bf942687a9faf34eb56f100020bfa587058b
Instruction ID: 812a0db5b2e8149b5403e96b780088374b8dce2bc0e6689b4533de7bda3b7772
Opcode Fuzzy Hash: 6f085f8ec88251c6b4d6bed15921bf942687a9faf34eb56f100020bfa587058b
Instruction Fuzzy Hash: A04134719012189FDB20EF65CD81BCAB7F9AB84304F4144FAE508E7282D77A9E94CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004094BE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004094BE(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				struct HINSTANCE__* _t44;
				intOrPtr _t55;
				struct HINSTANCE__* _t57;
				signed int _t76;
				long _t79;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;
				void* _t113;

				_t113 = __fp0;
				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x40966c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000) {
					L3:
					_t44 =  *0x415b48; // 0x400000
					GetModuleFileNameW(_t44,  &_v1056, 0x105);
					_v12 = E004094B4(_t82);
				} else {
					_t79 = GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105);
					_t108 = _t79;
					if(_t79 != 0) {
						_t85 = _t82 - _v1596.AllocationBase;
						__eflags = _t85;
						_v12 = _t85;
					} else {
						goto L3;
					}
				}
				E00408128( &_v534, 0x104, E0040A48C() + 2, _t108);
				_t83 = 0x409680;
				_t100 = 0x409680;
				_t95 =  *0x406d5c; // 0x406db4
				if(E0040392C(_t102, _t95) != 0) {
					_t83 = E00404D24( *((intOrPtr*)(_t102 + 4)));
					_t76 = E004080DC(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x409684;
					}
				}
				_t55 =  *0x412c70; // 0x406b7c
				_t18 = _t55 + 4; // 0xffe7
				_t57 =  *0x415b48; // 0x400000
				LoadStringW(E00405B90(_t57),  *_t18,  &_v1568, 0x100);
				E00403814( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				_push( &_v1636);
				E00408290(_v8,  &_v1568, _a4, _t113);
				E004080DC(_v8);
				_t98 = 4;
				 *[fs:eax] = _t98;
				_push(E00409673);
				return L00404C88( &_v1640);
			}

0x004094be
0x004094ce
0x004094d4
0x004094d7
0x004094d9
0x004094dd
0x004094de
0x004094e3
0x004094e6
0x004094f3
0x00409502
0x00409520
0x0040952c
0x00409532
0x0040953e
0x00409504
0x00409517
0x0040951c
0x0040951e
0x00409543
0x00409543
0x00409549
0x00000000
0x00000000
0x00000000
0x0040951e
0x0040956b
0x00409570
0x00409575
0x0040957c
0x00409589
0x00409593
0x00409597
0x0040959e
0x004095a8
0x004095a8
0x0040959e
0x004095b9
0x004095be
0x004095c2
0x004095cd
0x004095da
0x004095e5
0x004095eb
0x004095f8
0x004095fe
0x00409608
0x0040960e
0x00409615
0x0040961b
0x00409622
0x00409628
0x00409635
0x00409644
0x0040964c
0x00409655
0x00409658
0x0040965b
0x0040966b

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040966C), ref: 004094F3
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00409517
GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00409532
LoadStringW.USER32(00000000,0000FFE7,?,00000100), ref: 004095CD

Strings

|k@, xrefs: 004095B9

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: |k@
API String ID: 3990497365-1384102874
Opcode ID: 43087fe4bc38f8cd41f2fd5395c9c061ec226a594088f0491a4063f5bd6d0949
Instruction ID: 1ed4c405d868999d2a68b461cc40520038d24ac33ddd5ad5e87d9ce406dc7cf2
Opcode Fuzzy Hash: 43087fe4bc38f8cd41f2fd5395c9c061ec226a594088f0491a4063f5bd6d0949
Instruction Fuzzy Hash: 86414671A002189FDB20EF55CC41BCAB7F99B84304F4144FAE508E7282D7799E94CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403714, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00403714() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x41201c & 0x0000ffff;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t14 =  *0x41201c & 0xffc0 | _v12 & 0x3f;
					 *0x41201c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00403785);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExW(_v8, L"FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x40378c);
					return RegCloseKey(_v8);
				}
			}

0x00403715
0x00403717
0x00403721
0x0040373d
0x0040379f
0x004037a2
0x004037ab
0x0040373f
0x00403741
0x00403742
0x00403747
0x0040374a
0x0040374d
0x00403769
0x00403770
0x00403773
0x00403776
0x00403784
0x00403784

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403736
RegQueryValueExW.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403785,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403769
RegCloseKey.ADVAPI32(?,0040378C,00000000,?,00000004,00000000,00403785,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040377F

Strings

FPUMaskValue, xrefs: 00403760
SOFTWARE\Borland\Delphi\RTL, xrefs: 0040372C

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 6aeaf0bb9d8d3d66ce8c9309b5049384293a7d57b585f7f81df902abe7067c85
Instruction ID: 40a73df8a67999f4cbb9744d622e99770d6b6577c1e0934ef40092c26c129c87
Opcode Fuzzy Hash: 6aeaf0bb9d8d3d66ce8c9309b5049384293a7d57b585f7f81df902abe7067c85
Instruction Fuzzy Hash: B10152B5540318B9DB11DFA18D42BAABBACD708B01F208177BA00F75D0E6799A10D769

Uniqueness

Uniqueness Score: -1.00%

Function 00409140, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409140(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x4091d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00408EB4(GetThreadLocale(), 0x4091f0, 0x100b,  &_v8);
				_t29 = E00407F10(0x4091f0, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoW(E0040908C, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x415c5c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoW(E004090C8, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E004091DE);
				return L00404C88( &_v8);
			}

0x00409140
0x00409143
0x00409148
0x00409149
0x0040914e
0x00409151
0x00409167
0x00409179
0x00409183
0x00409193
0x00409198
0x0040919d
0x004091a2
0x004091a2
0x004091a8
0x004091ab
0x004091ab
0x004091bc
0x004091bc
0x004091c3
0x004091c6
0x004091c9
0x004091d6

APIs

GetThreadLocale.KERNEL32(?,00000000,004091D7,?,?,00000000), ref: 00409158

Part of subcall function 00408EB4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00408ED2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,004091D7,?,?,00000000), ref: 00409188
EnumCalendarInfoW.KERNEL32(Function_0000908C,00000000,00000000,00000004,00000000,004091D7,?,?,00000000), ref: 00409193
GetThreadLocale.KERNEL32(00000000,00000003,Function_0000908C,00000000,00000000,00000004,00000000,004091D7,?,?,00000000), ref: 004091B1
EnumCalendarInfoW.KERNEL32(Function_000090C8,00000000,00000000,00000003,Function_0000908C,00000000,00000000,00000004,00000000,004091D7,?,?,00000000), ref: 004091BC

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 1287b01eaffe2f7a89d76bee5e253d8467206198faf148c79f9b7f744e170f41
Instruction ID: 083ce9a4cc77aebe24cd927d5b3fe7a8d4ed640c99c3cc4bc0f0e781bc0fc52a
Opcode Fuzzy Hash: 1287b01eaffe2f7a89d76bee5e253d8467206198faf148c79f9b7f744e170f41
Instruction Fuzzy Hash: EF01DF70304604AAF701AB65CC12B5A32ACDB85728F62053AF900BB6C7DA7C9E0082AC

Uniqueness

Uniqueness Score: -1.00%

Function 004091F4, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004091F4(signed int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t69;
				signed int _t72;
				signed int _t75;
				signed int _t78;
				signed int _t81;
				signed int _t97;
				intOrPtr _t112;
				void* _t113;
				signed int _t114;
				signed int _t122;
				signed int _t131;
				intOrPtr _t152;
				void* _t164;
				signed int _t166;
				intOrPtr _t170;
				void* _t171;

				_t171 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t164 = __edx;
				_v8 = __eax;
				L00404C80(_v8);
				_push(_t170);
				_push(0x409427);
				 *[fs:eax] = _t170;
				_t131 = 1;
				E00404C98(_t164, 0,  *[fs:eax]);
				E00408EB4(GetThreadLocale(), 0x409444, 0x1009,  &_v16);
				if(E00407F10(0x409444, 1, _t171) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t69 = E00404EF4(E00404830( &_v8));
						__eflags = _t131 - _t69;
						if(_t131 > _t69) {
							break;
						}
						_t166 = _v8;
						__eflags = _t166;
						if(_t166 != 0) {
							__eflags =  *((short*)(_t166 - 0xa)) - 2;
							if( *((short*)(_t166 - 0xa)) != 2) {
								_t166 = E00404820( &_v8);
							}
						}
						__eflags =  *((short*)(_t166 + _t131 * 2 - 2)) - 0xd800;
						if( *((short*)(_t166 + _t131 * 2 - 2)) < 0xd800) {
							L22:
							_t72 = E00408164(_v8 + _t131 * 2 - 2, 2, 0x409448);
							__eflags = _t72;
							if(_t72 != 0) {
								_t75 = E00408164(_v8 + _t131 * 2 - 2, 4, L"yyyy");
								__eflags = _t75;
								if(_t75 != 0) {
									_t78 = E00408164(_v8 + _t131 * 2 - 2, 2, L"yy");
									__eflags = _t78;
									if(_t78 != 0) {
										_t81 = ( *(_v8 + _t131 * 2 - 2) & 0x0000ffff) - 0x59;
										__eflags = _t81;
										if(_t81 == 0) {
											L30:
											E00404F98(_t164, 0x4094b0);
											L32:
											_t131 = _t131 + 1;
											__eflags = _t131;
											continue;
										}
										__eflags = _t81 != 0x20;
										if(_t81 != 0x20) {
											E00404E04();
											E00404F98(_t164, _v28);
											goto L32;
										}
										goto L30;
									}
									E00404F98(_t164, 0x40949c);
									_t131 = _t131 + 1;
									goto L32;
								}
								E00404F98(_t164, L"eeee");
								_t131 = _t131 + 3;
								goto L32;
							}
							E00404F98(_t164, 0x40945c);
							_t131 = _t131 + 1;
							goto L32;
						} else {
							__eflags =  *((short*)(_t166 + _t131 * 2 - 2)) - 0xdfff;
							if( *((short*)(_t166 + _t131 * 2 - 2)) > 0xdfff) {
								goto L22;
							}
							_t97 = E0040A3F8(_v8, _t131, _t131, _t166) >> 1;
							if(__eflags < 0) {
								asm("adc eax, 0x0");
							}
							_v12 = _t97;
							E0040525C(_v8, _t131, _t131, _t164, _t166,  &_v24);
							E00404F98(_t164, _v24);
							_t131 = _t131 + _v12;
							continue;
						}
					}
					L34:
					_pop(_t152);
					 *[fs:eax] = _t152;
					_push(E0040942E);
					L00404C90( &_v28, 4);
					return L00404C88( &_v8);
				}
				_t112 =  *0x415c34; // 0x9
				_t113 = _t112 - 4;
				if(_t113 == 0 || _t113 + 0xfffffff3 - 2 < 0) {
					_t114 = 1;
				} else {
					_t114 = 0;
				}
				if(_t114 == 0) {
					E00404C98(_t164, _v8);
				} else {
					while(_t131 <= E00404EF4(E00404830( &_v8))) {
						_t122 = ( *(_v8 + _t131 * 2 - 2) & 0x0000ffff) - 0x47;
						__eflags = _t122;
						if(_t122 != 0) {
							__eflags = _t122 != 0x20;
							if(_t122 != 0x20) {
								E00404E04();
								E00404F98(_t164, _v20);
							}
						}
						_t131 = _t131 + 1;
						__eflags = _t131;
					}
				}
			}

0x004091f4
0x004091f9
0x004091fa
0x004091fb
0x004091fc
0x004091fd
0x004091fe
0x004091ff
0x00409200
0x00409202
0x00409204
0x0040920a
0x00409211
0x00409212
0x0040921a
0x0040921d
0x00409226
0x0040923e
0x00409256
0x004093ef
0x004093f7
0x004093fc
0x004093fe
0x00000000
0x00000000
0x004092ca
0x004092cd
0x004092cf
0x004092d6
0x004092da
0x004092e7
0x004092e7
0x004092da
0x004092e9
0x004092f0
0x00409332
0x00409343
0x00409348
0x0040934a
0x0040936f
0x00409374
0x00409376
0x0040939a
0x0040939f
0x004093a1
0x004093ba
0x004093ba
0x004093be
0x004093c6
0x004093cd
0x004093ee
0x004093ee
0x004093ee
0x00000000
0x004093ee
0x004093c0
0x004093c4
0x004093df
0x004093e9
0x00000000
0x004093e9
0x00000000
0x004093c4
0x004093aa
0x004093af
0x00000000
0x004093af
0x0040937f
0x00409384
0x00000000
0x00409384
0x00409353
0x00409358
0x00000000
0x004092f2
0x004092f2
0x004092f9
0x00000000
0x00000000
0x00409305
0x00409307
0x00409309
0x00409309
0x0040930c
0x0040931b
0x00409325
0x0040932a
0x00000000
0x0040932a
0x004092f0
0x00409404
0x00409406
0x00409409
0x0040940c
0x00409419
0x00409426
0x00409426
0x0040925c
0x00409261
0x00409264
0x00409272
0x0040926e
0x0040926e
0x0040926e
0x00409276
0x004092c0
0x00409278
0x004092a5
0x00409284
0x00409284
0x00409288
0x0040928a
0x0040928e
0x00409295
0x0040929f
0x0040929f
0x0040928e
0x004092a4
0x004092a4
0x004092a4
0x004092b6

APIs

GetThreadLocale.KERNEL32(?,00000000,00409427,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040922F

Part of subcall function 00408EB4: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00408ED2

Strings

ggg, xrefs: 0040934E
yyyy, xrefs: 0040935E
eeee, xrefs: 0040937A

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 8c7d597c29a03ef98b73ffdf2240034f553e37ed67633844407f3f811d289582
Instruction ID: f2ce5095f23ab47d6d0538cc62e5ab7c2440563574ca3b0be4b951cff116fd36
Opcode Fuzzy Hash: 8c7d597c29a03ef98b73ffdf2240034f553e37ed67633844407f3f811d289582
Instruction Fuzzy Hash: 1A519375A041069BCB10FBA9C5825AFB3A5EF85308B20447BE941B73E7DB3C9E02965D

Uniqueness

Uniqueness Score: -1.00%

Function 00409D3C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00409D3C(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x409ef7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffd8c;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x412c04; // 0x406bac
					E004063E4(_t52,  &_v8);
				} else {
					_t86 =  *0x412c80; // 0x406ba4
					E004063E4(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105) == 0) {
					_v628 =  *(_t89 + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t110;
					_v608 = 5;
					_push( &_v628);
					_t60 =  *0x412c0c; // 0x406b4c
					E004063E4(_t60,  &_v632, 2);
					E00409860(_t89, _v632, 1, _t108, _t110);
				} else {
					_v592 =  *(_t89 + 0xc);
					_v588 = 5;
					E00404E50( &_v600, 0x105,  &_v558);
					E00408028(_v600,  &_v596);
					_v584 = _v596;
					_v580 = 0x11;
					_v576 = _v8;
					_v572 = 0x11;
					_v568 = _t110;
					_v564 = 5;
					_push( &_v592);
					_t82 =  *0x412c38; // 0x406c1c
					E004063E4(_t82,  &_v604, 3);
					E00409860(_t89, _v604, 1, _t108, _t110);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E00409EFE);
				L00404C88( &_v632);
				L00404C90( &_v604, 3);
				return L00404C88( &_v8);
			}

0x00409d3c
0x00409d49
0x00409d4f
0x00409d55
0x00409d5b
0x00409d61
0x00409d66
0x00409d67
0x00409d6c
0x00409d6f
0x00409d75
0x00409d7c
0x00409d90
0x00409d95
0x00409d7e
0x00409d81
0x00409d86
0x00409d86
0x00409d9a
0x00409da7
0x00409db3
0x00409e6f
0x00409e75
0x00409e7f
0x00409e85
0x00409e8c
0x00409e92
0x00409e9f
0x00409ea8
0x00409ead
0x00409ebf
0x00409dd6
0x00409dd9
0x00409ddf
0x00409df7
0x00409e08
0x00409e13
0x00409e19
0x00409e23
0x00409e29
0x00409e30
0x00409e36
0x00409e43
0x00409e4c
0x00409e51
0x00409e63
0x00409e68
0x00409ec8
0x00409ecb
0x00409ece
0x00409ed9
0x00409ee9
0x00409ef6

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00409EF7), ref: 00409DA7
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,00409EF7), ref: 00409DC9

Part of subcall function 004063E4: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00406429

Strings

Lk@, xrefs: 00409EA8
u@, xrefs: 00409E5E, 00409EBA

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: Lk@$u@
API String ID: 902310565-2376058283
Opcode ID: 6259ec6f591da9e1ad7678461e817eadaff81f7ebf4198e2adecfced6dfa1836
Instruction ID: 1a931a7164946d0945ddcf4ea47e041f34baee353206f071f8388db194c629b8
Opcode Fuzzy Hash: 6259ec6f591da9e1ad7678461e817eadaff81f7ebf4198e2adecfced6dfa1836
Instruction Fuzzy Hash: 47412B309042589FDB60EF65CD89BCDB7F4AB48304F1145EAA908F7292E7789E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A186, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A186() {
				LONG* _t9;
				void* _t10;
				void* _t11;

				_t10 = 0;
				_t11 = 0x20;
				_t9 = 0x415ca4;
				while( *_t9 != 0 || InterlockedCompareExchange(_t9, 1, 0) != 0) {
					_t9 =  &(_t9[2]);
					_t11 = _t11 - 1;
					if(_t11 != 0) {
						continue;
					} else {
						if(_t10 == 0) {
							_t10 = CreateEventW(0, 0, 0, 0);
						}
						ResetEvent(_t10);
					}
					L10:
					return _t10;
				}
				if(_t9[1] == 0) {
					_t9[1] = CreateEventW(0, 0, 0, 0);
				}
				_t3 =  &(_t9[1]); // 0x0
				_t10 =  *_t3;
				goto L10;
			}

0x0040a18b
0x0040a18d
0x0040a192
0x0040a197
0x0040a1c5
0x0040a1c8
0x0040a1c9
0x00000000
0x0040a1cb
0x0040a1cd
0x0040a1dc
0x0040a1dc
0x0040a1df
0x0040a1df
0x0040a1e4
0x0040a1e9
0x0040a1e9
0x0040a1ae
0x0040a1bd
0x0040a1bd
0x0040a1c0
0x0040a1c0
0x00000000

APIs

InterlockedCompareExchange.KERNEL32(00415CA4,00000001,00000000), ref: 0040A1A1
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00415CA4,00000001,00000000), ref: 0040A1B8
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A1D7
ResetEvent.KERNEL32(00000000), ref: 0040A1DF

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Event$Create$CompareExchangeInterlockedReset
String ID:
API String ID: 2790937731-0
Opcode ID: 85bf60a57223efc1bd127b854e8e2fcc91d5941f498f3bc83f799df80e1b8357
Instruction ID: e519d750d6dcafecf1b76c6a1b6cc8191a637c52d9ce77022197b424e8f1bcef
Opcode Fuzzy Hash: 85bf60a57223efc1bd127b854e8e2fcc91d5941f498f3bc83f799df80e1b8357
Instruction Fuzzy Hash: 2EF05E31780300AAFB316A164C82B2765568BD0B65F254037FA08BE2C2E6BDAC20416E

Uniqueness

Uniqueness Score: -1.00%

Function 00408F68, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106
threadCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00408F68(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x40907b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x415b98;
				_t83 = 0x415bc8;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E00408F2C(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E00404C98(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E00408F2C(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E00404C98(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x415bf8;
				_t84 = 0x415c14;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E00408F2C(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E00404C98(_t87, _v24);
					E00408F2C(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E00404C98(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E00409082);
				return L00404C90( &_v28, 4);
			}

0x00408f69
0x00408f6d
0x00408f6e
0x00408f6f
0x00408f70
0x00408f71
0x00408f72
0x00408f78
0x00408f79
0x00408f7e
0x00408f81
0x00408f89
0x00408f8c
0x00408f91
0x00408f96
0x00408f9b
0x00408faa
0x00408fae
0x00408fb9
0x00408fcd
0x00408fd1
0x00408fdc
0x00408fe1
0x00408fe2
0x00408fe5
0x00408fe8
0x00408fed
0x00408ff2
0x00408ff7
0x00408ffc
0x00408ffc
0x00409004
0x00409007
0x0040901f
0x0040902a
0x00409044
0x0040904f
0x00409054
0x00409055
0x00409058
0x0040905b
0x00409062
0x00409065
0x00409068
0x0040907a

APIs

GetThreadLocale.KERNEL32(00000000,0040907B,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408F84

Strings

$l@, xrefs: 00408FA2
l@, xrefs: 00409011

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: LocaleThread
String ID: $l@$l@
API String ID: 635194068-4225844758
Opcode ID: 2e04514abfb8c49145987658e143d38efe1e1c455c6006f5a4294f9294b84c0e
Instruction ID: 74ee3e2f097acfc3ea8ee091fc7cdb976d8602175913d475df625015d87764a0
Opcode Fuzzy Hash: 2e04514abfb8c49145987658e143d38efe1e1c455c6006f5a4294f9294b84c0e
Instruction Fuzzy Hash: F6318771F045046BDB04EB99C881AAF77AAD788314F51843BFA05E7381DA39AD418769

Uniqueness

Uniqueness Score: -1.00%

Function 00409D3A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00409D3A(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x409ef7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffd8c;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x412c04; // 0x406bac
					E004063E4(_t52,  &_v8);
				} else {
					_t86 =  *0x412c80; // 0x406ba4
					E004063E4(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105) == 0) {
					_v628 =  *(_t89 + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t110;
					_v608 = 5;
					_push( &_v628);
					_t60 =  *0x412c0c; // 0x406b4c
					E004063E4(_t60,  &_v632, 2);
					E00409860(_t89, _v632, 1, _t108, _t110);
				} else {
					_v592 =  *(_t89 + 0xc);
					_v588 = 5;
					E00404E50( &_v600, 0x105,  &_v558);
					E00408028(_v600,  &_v596);
					_v584 = _v596;
					_v580 = 0x11;
					_v576 = _v8;
					_v572 = 0x11;
					_v568 = _t110;
					_v564 = 5;
					_push( &_v592);
					_t82 =  *0x412c38; // 0x406c1c
					E004063E4(_t82,  &_v604, 3);
					E00409860(_t89, _v604, 1, _t108, _t110);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E00409EFE);
				L00404C88( &_v632);
				L00404C90( &_v604, 3);
				return L00404C88( &_v8);
			}

0x00409d3a
0x00409d49
0x00409d4f
0x00409d55
0x00409d5b
0x00409d61
0x00409d66
0x00409d67
0x00409d6c
0x00409d6f
0x00409d75
0x00409d7c
0x00409d90
0x00409d95
0x00409d7e
0x00409d81
0x00409d86
0x00409d86
0x00409d9a
0x00409da7
0x00409db3
0x00409e6f
0x00409e75
0x00409e7f
0x00409e85
0x00409e8c
0x00409e92
0x00409e9f
0x00409ea8
0x00409ead
0x00409ebf
0x00409dd6
0x00409dd9
0x00409ddf
0x00409df7
0x00409e08
0x00409e13
0x00409e19
0x00409e23
0x00409e29
0x00409e30
0x00409e36
0x00409e43
0x00409e4c
0x00409e51
0x00409e63
0x00409e68
0x00409ec8
0x00409ecb
0x00409ece
0x00409ed9
0x00409ee9
0x00409ef6

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00409EF7), ref: 00409DA7
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,00409EF7), ref: 00409DC9

Part of subcall function 004063E4: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00406429

Strings

u@, xrefs: 00409E5E

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: u@
API String ID: 902310565-3232061631
Opcode ID: 803c9cc7856af3ac950bd715bc8bc3bbbc638ef6bdeafcb244893eb738825441
Instruction ID: ca758b4f96bfb77009ae275c47d805f447a219e65d8d40a01463ddbbb4a05e8c
Opcode Fuzzy Hash: 803c9cc7856af3ac950bd715bc8bc3bbbc638ef6bdeafcb244893eb738825441
Instruction Fuzzy Hash: 0A313C709002589FDB60EF64CC85B8AB7F8EB48304F0144EAA508F7281E7789E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE68, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040EE68(void* __ecx) {
				char _v8;
				intOrPtr _t17;
				intOrPtr _t20;

				_push(0);
				_push(_t20);
				 *[fs:eax] = _t20;
				E00404CEC( &_v8, L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n\r\nFor more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline",  *[fs:eax]);
				MessageBoxW(0, E00404D24(_v8), L"Setup", 0x10);
				_t17 = 0x40eeb5;
				 *[fs:eax] = _t17;
				_push(E0040EEBC);
				return L00404C88( &_v8);
			}

0x0040ee6b
0x0040ee6f
0x0040ee78
0x0040ee83
0x0040ee9a
0x0040eea1
0x0040eea4
0x0040eea7
0x0040eeb4

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 0040EE9A

Strings

Setup, xrefs: 0040EE8A
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 0040EE7E

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-2353098591
Opcode ID: 3f22f5bdfd00b5526a11fead451ef0713966d62effaaaaed0f75cf52d05feab8
Instruction ID: 0883e15896c4b772834ba87302cf9c47b33127b330fab632c4ce07624bd07afc
Opcode Fuzzy Hash: 3f22f5bdfd00b5526a11fead451ef0713966d62effaaaaed0f75cf52d05feab8
Instruction Fuzzy Hash: 02E0657424820CAAF301B652DD13F5AB69CD788B04F62487BF900B19C1D6B95E109468

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABF8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ABF8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E00406728(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x412810 = _t1;
				}
				if( *0x412810 == 0) {
					 *0x412810 = E00408068;
					return E00408068;
				}
				return _t1;
			}

0x0040abfe
0x0040ac03
0x0040ac07
0x0040ac0f
0x0040ac14
0x0040ac14
0x0040ac20
0x0040ac27
0x00000000
0x0040ac27
0x0040ac2d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004115E0,00000000,004115F3), ref: 0040ABFE

Part of subcall function 00406728: GetProcAddress.KERNEL32(?,0040BDAE), ref: 0040674C

Strings

GetDiskFreeSpaceExW, xrefs: 0040AC09
kernel32.dll, xrefs: 0040ABF9

Memory Dump Source

Source File: 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.348986360.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349009578.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349019503.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.349029357.000000000041C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349041903.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.349048284.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: fe33998cc9cc36d521a582d18847cefbb746d69cd43996148563fe781e2b6cb8
Instruction ID: caf3bee2458b42963bc9357fb50682e39eca259f80fc94b3950681cf825eb87a
Opcode Fuzzy Hash: fe33998cc9cc36d521a582d18847cefbb746d69cd43996148563fe781e2b6cb8
Instruction Fuzzy Hash: 77D05E713083014FE3007BB06E8160A25C8A301309B029A3BA401B62D2C7FD4835875E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sfk_setup.tmp PID: 6772 Parent PID: 6736 sfk_setup.tmpCOMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	158

Executed Functions

Function 00408370, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 0040838C
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004083AC
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004083CA
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 004083E8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00408406
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004084A4,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 0040844F
RegQueryValueExW.ADVAPI32(?,00408698,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004084A4,?,80000001), ref: 0040846D
RegCloseKey.ADVAPI32(?,004084AB,00000000,?,?,00000000,004084A4,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040849E
lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 004084BB
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004084C8
GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 004084CE
lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004084FC
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00408552
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00408562
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00408592
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004085A2
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004085D1

Strings

Software\Borland\Delphi\Locales, xrefs: 004083FC
Software\CodeGear\Locales, xrefs: 004083A2, 004083C0
Software\Borland\Locales, xrefs: 004083DE

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Openlstrcpyn$LibraryLoadLocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 3838733197-345420546
Opcode ID: dafdfd18fb6c40a2d41f9fc4910561df257b48953a1921b5bcc087da3586443a
Instruction ID: a500898f6dc47257e1585acfd824c909a598bb48bb2a219c79c4edbb62c36863
Opcode Fuzzy Hash: dafdfd18fb6c40a2d41f9fc4910561df257b48953a1921b5bcc087da3586443a
Instruction Fuzzy Hash: 3B615271A402197AEB20DAE5CD46FEF72BC9B08704F44407BBA40F65C1FABC9A448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004B8A78, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 174
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 004B8A93
GetModuleHandleW.KERNEL32(advapi32.dll), ref: 004B8AB4
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 004B8AC1
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 004B8ACE
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 004B8ADC
AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,004B8CB3), ref: 004B8B7C
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,004B8CB3), ref: 004B8B85
LocalFree.KERNEL32(?,004B8C60), ref: 004B8C53

Strings

GetNamedSecurityInfoW, xrefs: 004B8ABB
advapi32.dll, xrefs: 004B8AAF
SetEntriesInAclW, xrefs: 004B8AD6
W, xrefs: 004B8B93
SetNamedSecurityInfoW, xrefs: 004B8AC8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressProc$AllocateErrorFreeHandleInitializeLastLocalModuleVersion
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 4088882585-4263478283
Opcode ID: e470e76dbb7141f3320895f6a1926b685bea5dfdd9640bf6a8e56b54529c9f24
Instruction ID: afc200dc3f936ce53cb1efbb79d5f7f4363e73e43a3005e33bf7901514434693
Opcode Fuzzy Hash: e470e76dbb7141f3320895f6a1926b685bea5dfdd9640bf6a8e56b54529c9f24
Instruction Fuzzy Hash: 335130B1901608AFDB10DFA9C845BEEB7F8EB48314F20846AF515E7281DA799D41CF78

Uniqueness

Uniqueness Score: -1.00%

Function 004084AB, Relevance: 15.1, APIs: 10, Instructions: 108
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 004084BB
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004084C8
GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 004084CE
lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004084FC
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00408552
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00408562
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00408592
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004085A2
lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004085D1
LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?), ref: 004085E1

Strings

Software\Borland\Delphi\Locales, xrefs: 004083FC
Software\CodeGear\Locales, xrefs: 004083A2, 004083C0
Software\Borland\Locales, xrefs: 004083DE

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 1599918012-345420546
Opcode ID: 4178ec917de22c9fa02476d0238962d15125bf17bcff0688646d60131478852f
Instruction ID: 2bdfecea2a4ebc7d9a87a4a5d20900cc82af348492f95972f04b7fe5743583f5
Opcode Fuzzy Hash: 4178ec917de22c9fa02476d0238962d15125bf17bcff0688646d60131478852f
Instruction Fuzzy Hash: 9B319671E0011976EB21DAE4DD49BEF62BC9B08304F44417BE540F76C1FABC9E448B59

Uniqueness

Uniqueness Score: -1.00%

Function 004736F8, Relevance: 12.4, APIs: 8, Instructions: 381windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 004737D0
SetFocus.USER32(00000000), ref: 00473871
SaveDC.GDI32(?), ref: 00473A33
RestoreDC.GDI32(?,?), ref: 00473AA4
GetWindowDC.USER32(00000000), ref: 00473B10
SaveDC.GDI32(?), ref: 00473B47
RestoreDC.GDI32(?,?), ref: 00473BAB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: RestoreSave$FocusIconicWindow
String ID:
API String ID: 1400084646-0
Opcode ID: 9802a62c35b454d1a20b4831adc35584bce121d19a987b877a80d978b65b5a1a
Instruction ID: 99e17f549cdb5917a778106b727c30c82aaf18a9347542855764466411fd1eb0
Opcode Fuzzy Hash: 9802a62c35b454d1a20b4831adc35584bce121d19a987b877a80d978b65b5a1a
Instruction Fuzzy Hash: 93E1B271A00144DFDB11EF69C486AEEB3F1AB45305F1580AAF408AB752DB38DF44EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00470AAC, Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00470ABA
IsIconic.USER32(?), ref: 00470AE8
IsWindowVisible.USER32(?), ref: 00470AF8
ShowWindow.USER32(?,00000000,?,?,?,000000EC,00000000,?,?,?,0047C5E9,?,?), ref: 00470B15
SetWindowLongW.USER32 ref: 00470B28
SetWindowLongW.USER32 ref: 00470B39
ShowWindow.USER32(?,00000006,?,000000EC,00000000,?,?,?,000000EC,00000000,?,?,?,0047C5E9,?,?), ref: 00470B59
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,?,?,000000EC,00000000,?,?,?,0047C5E9,?,?), ref: 00470B63

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$LongShow$IconicVisible
String ID:
API String ID: 3484284227-0
Opcode ID: e5bb252052c3827ce0eb22ee7d105633cbd16a1b31010b5b68aa5c162d411533
Instruction ID: 0663f641c79fd0f2b1ef215e53694840f19cf8e665cc319dda5b02ef108d7702
Opcode Fuzzy Hash: e5bb252052c3827ce0eb22ee7d105633cbd16a1b31010b5b68aa5c162d411533
Instruction Fuzzy Hash: CB11860154F790B4D62266664C02FEF5A944FD3319F18862BF5D8A12C3C23D9A45C16F

Uniqueness

Uniqueness Score: -1.00%

Function 0045C584, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

0bE, xrefs: 0045C6E5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID: 0bE
API String ID: 0-2320990392
Opcode ID: 63d263fffbbd25b6d1895130179b8056985af304b6c16d13ea4698ee5f53c0aa
Instruction ID: c4681dd61e4fb1f14eeb39d814ec3ec5ab6ecb4a9d3bf7d1bb4788cbae046c2f
Opcode Fuzzy Hash: 63d263fffbbd25b6d1895130179b8056985af304b6c16d13ea4698ee5f53c0aa
Instruction Fuzzy Hash: B481A2346007559FC710EB29C4C87AB77E1AF49706F14416BE845973A2C7B8DD8DCB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004CC238, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004CC2CE,?,00000000,00000000,?,004CC2E4,?,004E945F), ref: 004CC255
CoCreateInstance.OLE32(005043F4,00000000,00000001,00504404,00000000,00000000,004CC2CE,?,00000000,00000000,?,004CC2E4,?,004E945F), ref: 004CC27B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: 5a8272a58d779a9ff3e59e3225e9fe670217fcd39215f7047cd38be8f1673ff7
Instruction ID: 0cbb7ac2259295afb7b051eb659837b379e3d7c8e3a609428212a0dba58409b6
Opcode Fuzzy Hash: 5a8272a58d779a9ff3e59e3225e9fe670217fcd39215f7047cd38be8f1673ff7
Instruction Fuzzy Hash: 29112276600208AFEB50EBA5CD85F5EB7E8EB04704F9140BAF504D72A1CB789D04DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004AD294, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004AD2F7,?,00000000,?), ref: 004AD2D1
GetLastError.KERNEL32(00000000,?,00000000,004AD2F7,?,00000000,?), ref: 004AD2D9

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: c3989025904623eb7fb7b3387c10b1aa8a3ac9527e43e2b9db8540afddc07d10
Instruction ID: 78257613f464c8d49f4cf456e1dc99373cdef011849c960ad9d6e2ab1376e905
Opcode Fuzzy Hash: c3989025904623eb7fb7b3387c10b1aa8a3ac9527e43e2b9db8540afddc07d10
Instruction Fuzzy Hash: A6F0F932E042086FCB11DB6A9C4149EB7A8DB5A324B5146BBF814E36C1DA798D118198

Uniqueness

Uniqueness Score: -1.00%

Function 0047FFEC, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00503DD4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00480027
GetVersion.KERNEL32(00000000,004801D0,?,00503DD4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00480044
GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,004801D0,?,00503DD4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0048005E
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,004801D0,?,00503DD4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00480079
FreeSid.ADVAPI32(00000000,004801D7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004801CA

Strings

advapi32.dll, xrefs: 00480059
CheckTokenMembership, xrefs: 00480054

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2691416632-1888249752
Opcode ID: 184b2f3b108fc21e836035392c7f2c6a81167f3c29875d198c30ed0b3d5a9bfc
Instruction ID: 470ffb4e3a3b4e5bbcdb8d5971faf8775aa8bc9487a6afa9a0b77fb0be6964cb
Opcode Fuzzy Hash: 184b2f3b108fc21e836035392c7f2c6a81167f3c29875d198c30ed0b3d5a9bfc
Instruction Fuzzy Hash: 83518371A14305AEDB51FAE58C46BBF77A8AB44314F50087BBA00F22C2D67D9D088769

Uniqueness

Uniqueness Score: -1.00%

Function 00469138, Relevance: 29.8, APIs: 4, Strings: 13, Instructions: 95
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008000), ref: 00469151
GetModuleHandleW.KERNEL32(USER32,00000000,0046929E,?,00008000), ref: 00469175

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

LoadLibraryW.KERNEL32(imm32.dll,00000000,0046929E,?,00008000), ref: 0046919E
SetErrorMode.KERNEL32(?,004692A5,00008000), ref: 00469298

Strings

WINNLSEnableIME, xrefs: 0046917C
imm32.dll, xrefs: 00469199
ImmGetConversionStatus, xrefs: 004691DF
USER32, xrefs: 00469170
ImmGetCompositionStringW, xrefs: 00469248
ImmSetCompositionWindow, xrefs: 0046921E
ImmIsIME, xrefs: 0046925D
ImmReleaseContext, xrefs: 004691CA
ImmSetCompositionFontW, xrefs: 00469233
ImmSetOpenStatus, xrefs: 00469209
ImmSetConversionStatus, xrefs: 004691F4
ImmNotifyIME, xrefs: 00469272
ImmGetContext, xrefs: 004691B5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorMode$AddressHandleLibraryLoadModuleProc
String ID: ImmGetCompositionStringW$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontW$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 380357001-1271369619
Opcode ID: cc255cebe79497f63cc62dd3eb15194d18d6a6ee4423562f12d96756175552fe
Instruction ID: a20cdc48d3bf8192737b9d12f2fa3ae1b41f6e2d35867b52f5b2177e1cc57648
Opcode Fuzzy Hash: cc255cebe79497f63cc62dd3eb15194d18d6a6ee4423562f12d96756175552fe
Instruction Fuzzy Hash: 6A314671A44740AEEB05DF66ED96A6E77ACE314708F10082BF400972A2E7BD4D48DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004776A8, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 004776DF

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: LoadString
String ID: B
API String ID: 2948472770-3806887055
Opcode ID: 31c5849285ad05b6350753acc4d0f00da6300ece0c546b030a7b3166ff9fbe4f
Instruction ID: b81540708de43d09cf1f9f40778678433dda0340ca0a11ccf17e291287917346
Opcode Fuzzy Hash: 31c5849285ad05b6350753acc4d0f00da6300ece0c546b030a7b3166ff9fbe4f
Instruction Fuzzy Hash: 30127F71A14244EFDB01EBA8C985FDD77F4BB08304F5585A6E908EB362D739AE04DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0047B4AC, Relevance: 19.9, APIs: 13, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20e96e510084b5531ad26f5b8070cd2c5af7fa3745d22eae3f25dae425ac069
Instruction ID: 742d3f5ed802d9271d9bffeb4ef0ec10d082987a2623d0121d7fd6f12202aa94
Opcode Fuzzy Hash: a20e96e510084b5531ad26f5b8070cd2c5af7fa3745d22eae3f25dae425ac069
Instruction Fuzzy Hash: 01F14D30600208DFDB11DF69C585BDEB7B1EF08314F14C5A6E809AB766C738AE45DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004DE288, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoTaskMemFree.OLE32(?,004DE4AA,?,00000005,00000000,00000000,?,004FCCF4,00000006,?,00000000,004FD285,?,00000000,004FD344), ref: 004DE49D
CoTaskMemFree.OLE32(?,004DE4FD,?,00000005,00000000,00000000,?,004FCCF4,00000006,?,00000000,004FD285,?,00000000,004FD344), ref: 004DE4F0

Strings

cmd.exe, xrefs: 004DE51B
ProgramFilesDir, xrefs: 004DE355, 004DE3DC
SystemDrive, xrefs: 004DE2F2
CommonFilesDir, xrefs: 004DE38F, 004DE40B
COMMAND.COM, xrefs: 004DE53C
Common Files, xrefs: 004DE3C6
Failed to get path of 64-bit Program Files directory, xrefs: 004DE3FE
Failed to get path of 64-bit Common Files directory, xrefs: 004DE42D
\Program Files, xrefs: 004DE37C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 734271698-544719455
Opcode ID: d423443ae0a8fea9dea31847c16ffedb43bdeed1c75c7984ee3a13eee985c989
Instruction ID: b8caeeca8f96ab44b67d8ef63914c586ba38b2995f5742af6ff0583ae043f2bf
Opcode Fuzzy Hash: d423443ae0a8fea9dea31847c16ffedb43bdeed1c75c7984ee3a13eee985c989
Instruction Fuzzy Hash: E771A6756002059FEB10FB96D8A2B9EB7A5EB88708F608477F4016B381D73C9D05DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0047ABF0, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32 ref: 0047AC52
RegisterClassW.USER32 ref: 0047AC6A

Part of subcall function 00408D5C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408DA1

SetWindowLongW.USER32 ref: 0047AD0A
SendMessageW.USER32(8840C01B,00000080,00000001,00000000), ref: 0047AD2F
SetClassLongW.USER32(8840C01B,000000F2,00000000), ref: 0047AD45
GetSystemMenu.USER32(8840C01B,00000000,8840C01B,000000FC,56022444,00000000,00400000,00000000,00000000,00000000,00000000,00000000), ref: 0047AD53
DeleteMenu.USER32(00000000,0000F030,00000000,8840C01B,00000000,8840C01B,000000FC,56022444,00000000,00400000,00000000,00000000,00000000,00000000,00000000), ref: 0047AD62
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,8840C01B,00000000,8840C01B,000000FC,56022444,00000000,00400000,00000000,00000000,00000000), ref: 0047AD6F
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,8840C01B,00000000,8840C01B,000000FC,56022444,00000000,00400000), ref: 0047AD86

Strings

T`P, xrefs: 0047AC19
8B, xrefs: 0047AC86

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Menu$ClassDelete$Long$InfoLoadMessageRegisterSendStringSystemWindow
String ID: 8B$T`P
API String ID: 2334458219-3527321834
Opcode ID: 312b9b7f9523c30c7999294a3f0403e1771b62bbf22815323291dcff78fcd9c4
Instruction ID: 8541d3cd1cdf845da61a4b1f88b0931a71af77d491e3ba0bb05bdbbd616d903d
Opcode Fuzzy Hash: 312b9b7f9523c30c7999294a3f0403e1771b62bbf22815323291dcff78fcd9c4
Instruction Fuzzy Hash: 964153716042006FEB11EB79DC81FAE37A9BB44304F544575F908EF2E2DA79AC148729

Uniqueness

Uniqueness Score: -1.00%

Function 00469620, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 108
registrythreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,004697AB), ref: 00469641
GlobalAddAtomW.KERNEL32 ref: 00469674
GetCurrentThreadId.KERNEL32 ref: 0046968F
GlobalAddAtomW.KERNEL32 ref: 004696C5
RegisterWindowMessageW.USER32(00000000,00000000,?,00000000,?,00000000,004697AB), ref: 004696DB

Part of subcall function 00423814: InitializeCriticalSection.KERNEL32(00420E94,?,?,004696F1,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 00423833

Part of subcall function 00469138: SetErrorMode.KERNEL32(00008000), ref: 00469151
Part of subcall function 00469138: GetModuleHandleW.KERNEL32(USER32,00000000,0046929E,?,00008000), ref: 00469175
Part of subcall function 00469138: LoadLibraryW.KERNEL32(imm32.dll,00000000,0046929E,?,00008000), ref: 0046919E
Part of subcall function 00469138: SetErrorMode.KERNEL32(?,004692A5,00008000), ref: 00469298

Part of subcall function 004793CC: GetKeyboardLayout.USER32 ref: 00479411
Part of subcall function 004793CC: GetDC.USER32(00000000), ref: 00479466
Part of subcall function 004793CC: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00479470
Part of subcall function 004793CC: ReleaseDC.USER32 ref: 0047947B

Part of subcall function 0047A828: OleInitialize.OLE32(00000000), ref: 0047A859
Part of subcall function 0047A828: LoadIconW.USER32(00400000,MAINICON), ref: 0047A944
Part of subcall function 0047A828: GetModuleFileNameW.KERNEL32(00400000,?,00000100,?,?,?,00469730,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0047A988

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0046975E

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

AnimateWindow, xrefs: 0046977D
ControlOfs%.8X%.8X, xrefs: 004696A3
USER32, xrefs: 00469759
Delphi%.8X, xrefs: 00469652
4YE, xrefs: 0046974A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Module$AtomCurrentErrorGlobalHandleInitializeLoadMode$AddressCapsCriticalDeviceFileIconKeyboardLayoutLibraryMessageNameProcProcessRegisterReleaseSectionThreadWindow
String ID: 4YE$AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 2902964639-2600279602
Opcode ID: 7968c25497fd82bd1cd5d9b5be7d164db108b0ff4fd483f6d56e33063d0860d8
Instruction ID: dbbcc6664016fbe0662ba1cc9e706fe81c7e7fe52a1c5dd0642bc4d89a2b8b3e
Opcode Fuzzy Hash: 7968c25497fd82bd1cd5d9b5be7d164db108b0ff4fd483f6d56e33063d0860d8
Instruction Fuzzy Hash: B6418170A002059FD700FF6ADC92A9E77E8EB19308B51843BF415E73A2E7799D089B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0045772C, Relevance: 16.6, APIs: 11, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindowUnicode.USER32(?), ref: 00457746
SetWindowLongW.USER32 ref: 00457761
GetWindowLongW.USER32(?,000000F0), ref: 0045776C
GetWindowLongW.USER32(?,000000F4), ref: 0045777E
SetWindowLongW.USER32 ref: 00457791
SetWindowLongW.USER32 ref: 004577AA
GetWindowLongW.USER32(?,000000F0), ref: 004577B5
GetWindowLongW.USER32(?,000000F4), ref: 004577C7
SetWindowLongW.USER32 ref: 004577DA
SetPropW.USER32(?,00000000,00000000), ref: 004577F1
SetPropW.USER32(?,00000000,00000000), ref: 00457808

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Long$Prop$Unicode
String ID:
API String ID: 1693715928-0
Opcode ID: 4e8e89fc14b60baab23b8e6bb04f0cab4a7c7f82b789d9dcf25034671e4204b2
Instruction ID: 125025efc1e0c9eb7fd862ca22611ef6d5d70f106df6353254ea4012160e3e6e
Opcode Fuzzy Hash: 4e8e89fc14b60baab23b8e6bb04f0cab4a7c7f82b789d9dcf25034671e4204b2
Instruction Fuzzy Hash: 1931F276604248BBDF10DF9DDC84D9A37ACAB08364F108626BD24DB6E2D338ED54DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004AA464, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 74
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,004AA580,?,?,00000000,00000000,?,004E2F01), ref: 004AA48D

Part of subcall function 004AA434: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004AA44C

LoadLibraryW.KERNEL32(00000000,00000000,004AA580,?,?,00000000,00000000,?,004E2F01), ref: 004AA4CA

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

RmRegisterResources, xrefs: 004AA4F2
RmStartSession, xrefs: 004AA4DD
Rstrtmgr.dll, xrefs: 004AA4B7
RmEndSession, xrefs: 004AA546
RmGetList, xrefs: 004AA507
RmShutdown, xrefs: 004AA51C
RmRestart, xrefs: 004AA531

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 2754715182-3419246398
Opcode ID: 552b84ea8e20de6501f5e9fbd841ae430bb56c8dfefd1ae8afc8df1d1edbb43e
Instruction ID: 20e81082da0d80a83eebd0b282948123d4da6e59cfc27c4d15237d518a3e0bff
Opcode Fuzzy Hash: 552b84ea8e20de6501f5e9fbd841ae430bb56c8dfefd1ae8afc8df1d1edbb43e
Instruction Fuzzy Hash: AC217470D10204AFEF10EF61EC86B6D37A9E729708F954A3AB40097293D73C5A18EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004780A4, Relevance: 15.2, APIs: 10, Instructions: 163
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 00478115
GetCapture.USER32 ref: 00478124
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 0047812A
ReleaseCapture.USER32(00000000,004783CE), ref: 0047812F
GetActiveWindow.USER32 ref: 0047814C
IsWindow.USER32(00000000), ref: 00478192
GetActiveWindow.USER32 ref: 0047819B
SendMessageW.USER32(00000000,0000B000,00000000,00000000), ref: 00478231
SendMessageW.USER32(00000000,0000B001,00000000,00000000), ref: 0047829E
GetActiveWindow.USER32 ref: 004782AD

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$ActiveCaptureMessageSend$Release
String ID:
API String ID: 3054343883-0
Opcode ID: 83ce2fe64cdecee3105c3bd4426225e45519b78223108121622b84295dbeeae1
Instruction ID: 1011f0d6a0b22324e5b38a8d1e40496526cded5341397e34e6f9d31782d1d69e
Opcode Fuzzy Hash: 83ce2fe64cdecee3105c3bd4426225e45519b78223108121622b84295dbeeae1
Instruction Fuzzy Hash: 1A615270A40248DFEB10EF69C989B9E77F5FF45704F5484AAF404AB2A2DB789D04DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00474420, Relevance: 15.1, APIs: 10, Instructions: 133
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00474491
GetWindowLongW.USER32(00000000,000000EC), ref: 004744A3
GetClassLongW.USER32(00000000,000000E6), ref: 004744B6
SetWindowLongW.USER32 ref: 004744F6
SetWindowLongW.USER32 ref: 0047450A
SetClassLongW.USER32(00000000,000000E6,?), ref: 0047451E
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00474558
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00474570
GetSystemMenu.USER32(00000000,000000FF,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC,00000000,000000F0), ref: 0047457F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 004745A8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Long$Window$ClassMessageSend$MenuSystem
String ID:
API String ID: 494549727-0
Opcode ID: fd2a442789ba486d97912f1be2c9dea9f1b08cc32740a22f707074a0201fc805
Instruction ID: 6bde442644add904aef0f3c480088742fb8a5dcf9d70a4a041b36557313e0d6e
Opcode Fuzzy Hash: fd2a442789ba486d97912f1be2c9dea9f1b08cc32740a22f707074a0201fc805
Instruction Fuzzy Hash: 0C41087070828076DA01FB7D4C46BBE76891FC1308F08861AB594AB2D3CB7D9D61E34E

Uniqueness

Uniqueness Score: -1.00%

Function 0047A828, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150comwindowCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0047A859
LoadIconW.USER32(00400000,MAINICON), ref: 0047A944
GetModuleFileNameW.KERNEL32(00400000,?,00000100,?,?,?,00469730,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0047A988
CharNextW.USER32(?,00400000,?,00000100,?,?,?,00469730,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0047A9CD
CharLowerW.USER32(00000000,?,00400000,?,00000100,?,?,?,00469730,00000000,00000000,?,00000000,?,00000000,004697AB), ref: 0047A9D3

Part of subcall function 0047ABF0: GetClassInfoW.USER32 ref: 0047AC52
Part of subcall function 0047ABF0: RegisterClassW.USER32 ref: 0047AC6A
Part of subcall function 0047ABF0: SetWindowLongW.USER32 ref: 0047AD0A
Part of subcall function 0047ABF0: SendMessageW.USER32(8840C01B,00000080,00000001,00000000), ref: 0047AD2F

Strings

@`P, xrefs: 0047A84D, 0047AA06
8`P, xrefs: 0047A93C, 0047A980
MAINICON, xrefs: 0047A937

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CharClass$FileIconInfoInitializeLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: 8`P$@`P$MAINICON
API String ID: 896494604-2479441349
Opcode ID: 1e5fd95e3d02b66ebac675ce727d18af330e138452b531cbecc1c41017ffe821
Instruction ID: 4598063fd3f050a30bd4bb6a08bc362ac08fa802665ce3c87ab879b9158c036f
Opcode Fuzzy Hash: 1e5fd95e3d02b66ebac675ce727d18af330e138452b531cbecc1c41017ffe821
Instruction Fuzzy Hash: D56160706002408FDB50EF79C885B8A3BE4AF55308F4484BAED48DF397D7B99848CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0045F97C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 0045FA4C
UnregisterClassW.USER32 ref: 0045FA77
RegisterClassW.USER32 ref: 0045FA96
GetWindowLongW.USER32(00000000,000000F0), ref: 0045FAD2
GetWindowLongW.USER32(00000000,000000F4), ref: 0045FAE7
SetWindowLongW.USER32 ref: 0045FAFA

Strings

0bE, xrefs: 0045F9D0
@, xrefs: 0045F9B8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: 0bE$@
API String ID: 717780171-122265358
Opcode ID: 7065fec35a3d2a304e315f1369ba72ac07a3eacd3a5377e231ff417d9ec61f7d
Instruction ID: bb4addde47a978899e9994ef4f08d1b2e8de62353fa3dc6971f42be30fd904fc
Opcode Fuzzy Hash: 7065fec35a3d2a304e315f1369ba72ac07a3eacd3a5377e231ff417d9ec61f7d
Instruction Fuzzy Hash: 4A51A5706003549BDB20EF69CC41B9A73A9AF05305F1045BAF949D7292DB78AD88CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0046163C, Relevance: 13.7, APIs: 9, Instructions: 192COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 004616A8

Part of subcall function 00460EBC: BeginPaint.USER32(00000000,?), ref: 00460EE7
Part of subcall function 00460EBC: EndPaint.USER32(00000000,?,00461022), ref: 00461015

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Paint$Begin
String ID:
API String ID: 3787552996-0
Opcode ID: 7c409f4ab0597410b05749fba46433bfd8b4f4b8770711e8726df9f751545dc2
Instruction ID: d46ae31251de83a97f6ba12247c19facf33136aff6cd86709a6d8903bde49e13
Opcode Fuzzy Hash: 7c409f4ab0597410b05749fba46433bfd8b4f4b8770711e8726df9f751545dc2
Instruction Fuzzy Hash: E6614575A00148AFDB04EFE9C951EAEBBF9EB49304F14406AF504E7361D738AE01CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004458BC, Relevance: 13.7, APIs: 9, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 00431848: InitializeCriticalSection.KERNEL32(00433F14,00433ED8,00000000,00000001,0043406E,00000000,?,00000000,00435659), ref: 00431868

Part of subcall function 00431F18: FrameRect.USER32 ref: 00431F41

InflateRect.USER32(?,000000FF,000000FF), ref: 0044592D
InflateRect.USER32(?,000000FF,000000FF), ref: 0044599D
GetWindowLongW.USER32(00000000,000000F0), ref: 004459C2
GetSystemMetrics.USER32 ref: 004459F7
GetSystemMetrics.USER32 ref: 00445A15
DrawEdge.USER32(00000000,?,00000000,00000008), ref: 00445A7A
GetSystemMetrics.USER32 ref: 00445A81
DrawFrameControl.USER32 ref: 00445AB6
DrawFrameControl.USER32 ref: 00445AD1

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DrawFrameMetricsRectSystem$ControlInflate$CriticalEdgeInitializeLongSectionWindow
String ID:
API String ID: 1915978996-0
Opcode ID: 03f134dd0134301db97ce73585b55a69737ace2bf493c903886dc178de53db3e
Instruction ID: e5c7667d68e5aa7310727093ebd7b4fe04d5cf93aebfcfcf51c9aee4529f5956
Opcode Fuzzy Hash: 03f134dd0134301db97ce73585b55a69737ace2bf493c903886dc178de53db3e
Instruction Fuzzy Hash: 7F618170A04245AFEF01EF69C985BDE77F4AF06314F280176A940BB297D7789E04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00479D8C, Relevance: 13.6, APIs: 9, Instructions: 106COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00479DE6
CreateFontIndirectW.GDI32(0000005C), ref: 00479DF3
GetStockObject.GDI32(0000000D), ref: 00479E06

Part of subcall function 004310D8: MulDiv.KERNEL32(00000000,?,00000048), ref: 004310E5

SystemParametersInfoW.USER32 ref: 00479E2D
CreateFontIndirectW.GDI32(?), ref: 00479E3D
CreateFontIndirectW.GDI32(?), ref: 00479E53
CreateFontIndirectW.GDI32(?), ref: 00479E6C
GetStockObject.GDI32(0000000D), ref: 00479E8F
GetStockObject.GDI32(0000000D), ref: 00479EA3

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateFontIndirect$ObjectStock$InfoParametersSystem
String ID:
API String ID: 2565622021-0
Opcode ID: 3855c4ae409a996207003510e8f705c24cfddba21bbaf5e177040d12a032337f
Instruction ID: f5799cbe55373404752a6dcd0957b159e49acc015314b586878f5ffac0ee02c6
Opcode Fuzzy Hash: 3855c4ae409a996207003510e8f705c24cfddba21bbaf5e177040d12a032337f
Instruction Fuzzy Hash: 854186306046449BEB50EB7ACD91B9A33E4AF48304F54807BB94CDB3A7DA789C05CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004C44E8, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A758: KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,004C4A09,0000000C), ref: 0045A76B

SHGetFileInfoW.SHELL32(c:\directory,00000010,?,000002B4,00001010), ref: 004C458B
ExtractIconW.SHELL32(00400000,00000000,?), ref: 004C45B2

Part of subcall function 004C4424: DrawIconEx.USER32 ref: 004C44BF
Part of subcall function 004C4424: DestroyIcon.USER32(?,004C44E2,?,00000020,00000020,00000000,00000000,00000003,?,00000020,?,?), ref: 004C44D5

ExtractIconW.SHELL32(00400000,00000000,00000027), ref: 004C460B
SHGetFileInfoW.SHELL32(00000000,00000000,?,000002B4,00001000), ref: 004C466C
ExtractIconW.SHELL32(00400000,00000000,?), ref: 004C4693

Strings

c:\directory, xrefs: 004C4586
shell32.dll, xrefs: 004C45EF

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CallbackDestroyDispatcherDrawUser
String ID: c:\directory$shell32.dll
API String ID: 350228638-1375355148
Opcode ID: f0d83c5d1efc28f01d1a8f98fef8e879719c3522288f11ce8ba15c6e9d46fd7b
Instruction ID: 1da30287260a14f896440c9f0ae22c16ea11510bd26958a61633ce3c97e55299
Opcode Fuzzy Hash: f0d83c5d1efc28f01d1a8f98fef8e879719c3522288f11ce8ba15c6e9d46fd7b
Instruction Fuzzy Hash: 4E518078600204AFCB50EB55C99AF9AB7E8EB49304F2081AAF80497386C73CDE448F59

Uniqueness

Uniqueness Score: -1.00%

Function 0047C268, Relevance: 12.1, APIs: 8, Instructions: 118windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 0047C284
PeekMessageW.USER32 ref: 0047C29C
IsWindowUnicode.USER32 ref: 0047C2B0
PeekMessageW.USER32 ref: 0047C2D7
PeekMessageA.USER32 ref: 0047C2ED
TranslateMessage.USER32 ref: 0047C378
DispatchMessageW.USER32 ref: 0047C385
DispatchMessageA.USER32 ref: 0047C38D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: aec265175d4dcb7c97616442d8e5c82354d272469c79db9d15f44d72e31fbebf
Instruction ID: f564e25ef9def22ee9d688585a514d3139351bcb3ac6a6811250e2314314223d
Opcode Fuzzy Hash: aec265175d4dcb7c97616442d8e5c82354d272469c79db9d15f44d72e31fbebf
Instruction Fuzzy Hash: 5E31B22074874075EA316A294CC6BEF57844F5270CF24C56FFDC9A72C3C7AD9846425E

Uniqueness

Uniqueness Score: -1.00%

Function 00474A7C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00474BA0
SetMenu.USER32(00000000,00000000), ref: 00474BBD
SetMenu.USER32(00000000,00000000), ref: 00474BF2
SetMenu.USER32(00000000,00000000,00000000,00474C90), ref: 00474C0E

Part of subcall function 00408D5C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408DA1

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00474C55

Strings

dB, xrefs: 00474AEC

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Menu$LoadStringWindow
String ID: dB
API String ID: 1738039741-590823066
Opcode ID: e140ba25ba63dcf8f46a0a7b8082b5288493201059660a140f81187ce8ce75fb
Instruction ID: 242794a663fa9c04f36dd6bfc9733e18e3a1e7e904f1d9d6ef06693e97fba7fe
Opcode Fuzzy Hash: e140ba25ba63dcf8f46a0a7b8082b5288493201059660a140f81187ce8ce75fb
Instruction Fuzzy Hash: 59518E70B013445BDB21EF7A88857EA3698AB85308F05847BBC499B397CB7CDC48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA3C, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 157COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,004AFC6C,004AFC6C,?,004AFC6C,00000000), ref: 004AFBF1
CloseHandle.KERNEL32(004FCF6D,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,004AFC6C,004AFC6C,?,004AFC6C), ref: 004AFBFE

Part of subcall function 004AF9A8: WaitForInputIdle.USER32 ref: 004AF9D4
Part of subcall function 004AF9A8: MsgWaitForMultipleObjects.USER32 ref: 004AF9F6
Part of subcall function 004AF9A8: GetExitCodeProcess.KERNEL32 ref: 004AFA07
Part of subcall function 004AF9A8: CloseHandle.KERNEL32(00000001,004AFA34,004AFA2D,?,?,?,00000001,?,?,004AFDD6,?,0000003C,00000000,004AFDEC), ref: 004AFA27

Strings

.bat, xrefs: 004AFAD8
COMMAND.COM" /C , xrefs: 004AFB5C
D, xrefs: 004AFB90
cmd.exe" /C ", xrefs: 004AFB25
.cmd, xrefs: 004AFAF3

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 9549761f24674e75a1a8d65ef4facb71aa54c1c01a217c777a8b32c823b5dfa9
Instruction ID: 88e2853dccfaa7143611bf52dc62ae34b40875a7a0a12817af126c8a521733c8
Opcode Fuzzy Hash: 9549761f24674e75a1a8d65ef4facb71aa54c1c01a217c777a8b32c823b5dfa9
Instruction Fuzzy Hash: 39516870A0020C9BDB10EFD6C982BDEB7B9BF59304F60417BB804B7291D7789E199B59

Uniqueness

Uniqueness Score: -1.00%

Function 004799B4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00479B61,?,00000000,?,00479C05,00000000,?,0045E17B,00460448,?,00000000,0045E1F9), ref: 00479A0C
RegOpenKeyExW.ADVAPI32(80000002,00000000), ref: 00479A74
RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200,00000000,00479B1D,?,80000002,00000000), ref: 00479AAE
RegCloseKey.ADVAPI32(?,00479B24,00000000,?,00000200,00000000,00479B1D,?,80000002,00000000), ref: 00479B17

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00479A5E
layout text, xrefs: 00479AA5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: b3a485c0e166dcb435b7bc67bf712b1348be531460d20602af41734a65f45dd1
Instruction ID: 840c971cceb15e7099a20cec3684e3c81698b4dbb0a39db1a36b2c17f7ae8159
Opcode Fuzzy Hash: b3a485c0e166dcb435b7bc67bf712b1348be531460d20602af41734a65f45dd1
Instruction Fuzzy Hash: C0411874A002089FDB15DF55D982BDEB7F9FB48304F9184A6E908A7391D778AE00CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0048148C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004814BB
GetFocus.USER32 ref: 004814C3
RegisterClassW.USER32 ref: 004814E4
ShowWindow.USER32(00000000,00000008,00000000,00400000,00000000,61736944,00000000,00000000,00000000,00000000,80000000,00000000,00400000,00000000,00000000,00000000), ref: 0048157C
SetFocus.USER32(00000000,00000000,0048159E,?,?,00000000,00000001,00000000,?,004B3357,?,00000000,00000000,004FE5AF,?,00000001), ref: 00481583

Strings

TWindowDisabler-Window, xrefs: 0048151B, 00481564

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FocusWindow$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 495420250-1824977358
Opcode ID: 228318ed0b1cae2d7259128f9f24f96d89976fc0744655dc0fc5f27cc2bcc331
Instruction ID: 49d0bc2b81e5ad620ede4f7c9f028102b8841b21f60e8c55bafaaeb2fca67e8d
Opcode Fuzzy Hash: 228318ed0b1cae2d7259128f9f24f96d89976fc0744655dc0fc5f27cc2bcc331
Instruction Fuzzy Hash: EE21B170A407007BE710FF659C52F2E72E9EB84B04F11892BB500AB2E1D77CAD158799

Uniqueness

Uniqueness Score: -1.00%

Function 004DE8AC, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,004DE9FE,?,0050B17C,00000005,00000000,00000000,?,004FE411,00000000,004FE5C9,?,00000000,004FE639), ref: 004DE937
GetLastError.KERNEL32(00000000,00000000,00000000,004DE9FE,?,0050B17C,00000005,00000000,00000000,?,004FE411,00000000,004FE5C9,?,00000000,004FE639), ref: 004DE940

Strings

Created temporary directory: , xrefs: 004DE8E9
_isetup, xrefs: 004DE922
\_setup64.tmp, xrefs: 004DE9B6

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: 39d5473fbae29a0daf7836b257ac2a571bcb7752ed2336daa5e98a3b6cdc05d4
Instruction ID: d615ad965eb37596d86b9359e25ae7b517ebc8272817c1d1977c1002efbd3dd7
Opcode Fuzzy Hash: 39d5473fbae29a0daf7836b257ac2a571bcb7752ed2336daa5e98a3b6cdc05d4
Instruction Fuzzy Hash: CB413774A001099BDB01FB96D892ADEB3B5EF44304F50417BF501B7395DB38AE05DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0050156C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00408F4C: GetModuleHandleW.KERNEL32(00000000,?,0050157F), ref: 00408F58

GetWindowLongW.USER32(?,000000EC), ref: 0050158F
SetWindowLongW.USER32 ref: 005015A2
SetErrorMode.KERNEL32(00000001,00000000,005015E7,?,?,000000EC,00000000), ref: 005015B7

Part of subcall function 004FE938: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,005015C1,00000001,00000000,005015E7,?,?,000000EC,00000000), ref: 004FE942

Part of subcall function 0047C3E4: SendMessageW.USER32(?,0000B020,00000000,?), ref: 0047C409

Part of subcall function 0047BF28: SetWindowTextW.USER32(?,00000000), ref: 0047BF58

ShowWindow.USER32(?,00000005,00000000,005015E7,?,?,000000EC,00000000), ref: 00501621

Part of subcall function 0047C4DC: GetWindowLongW.USER32(?,000000EC), ref: 0047C5B8
Part of subcall function 0047C4DC: SetWindowLongW.USER32 ref: 0047C5C6

Strings

Setup, xrefs: 00501607

Memory Dump Source

Source File: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Long$HandleModule$ErrorMessageModeSendShowText
String ID: Setup
API String ID: 409482983-3839654196
Opcode ID: 5813d92d832c3a24bc5f91728c724cc08d1364cad99fd056d9369d2e3a652a44
Instruction ID: 85a335eca4af0587aa7e4792b47526a5508c6ab4af5c4621c7bb7e4a51b097de
Opcode Fuzzy Hash: 5813d92d832c3a24bc5f91728c724cc08d1364cad99fd056d9369d2e3a652a44
Instruction Fuzzy Hash: 14212A752006009FC311FF6ADC85D6A37E8FB4E715B050166F6058B7B2CA79AC04DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0047B184, Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

EnumWindows.USER32(0047B090,00000000), ref: 0047B1BB
ShowWindow.USER32(?,00000000,0047B090,00000000), ref: 0047B1F2
ShowOwnedPopups.USER32(00000000,?,0047B090,00000000), ref: 0047B221
ShowWindow.USER32(?,00000005), ref: 0047B289
ShowOwnedPopups.USER32(00000000,?), ref: 0047B2B8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Show$OwnedPopupsWindow$EnumWindows
String ID:
API String ID: 315437064-0
Opcode ID: 5fb92d1e255e78b0e6220409a9dd40a2776ac86e4a0dfad0f9c38248dc4dec0b
Instruction ID: 3d4273c88af56619a79c768caf10b4b06718961b4f248b211a3b28a4cc5d4f15
Opcode Fuzzy Hash: 5fb92d1e255e78b0e6220409a9dd40a2776ac86e4a0dfad0f9c38248dc4dec0b
Instruction Fuzzy Hash: EC4192306016008FE7209B79C849FEA73E5EB41358F1589ABE56D972E3C73CAC85C789

Uniqueness

Uniqueness Score: -1.00%

Function 004788F8, Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000EC), ref: 0047892C
SetWindowLongW.USER32 ref: 0047895E
SetLayeredWindowAttributes.USER32(00000000,00000000,?,00000000,00000000,000000EC,?,?,00475C6B), ref: 0047899C
SetWindowLongW.USER32 ref: 004789B5
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,00475C6B), ref: 004789CB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 38f946655069d2aa1ab86c44932aa06d58e9694477719161465c0c2d9a5b5af9
Instruction ID: 5edffc186236ca9cd662aa7780263bab535e46823a61d8d4c1d37994e57ed627
Opcode Fuzzy Hash: 38f946655069d2aa1ab86c44932aa06d58e9694477719161465c0c2d9a5b5af9
Instruction Fuzzy Hash: F311C8F090439026DB51AF795C89BAB368C0B01315F18097BB989FA2D3CA3CCE54D36D

Uniqueness

Uniqueness Score: -1.00%

Function 00405084, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004050B5
FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405156
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405192

Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000), ref: 0040502D
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00405033
Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 00405048
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 0040504E

Strings

P`P, xrefs: 0040508D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: P`P
API String ID: 3490077880-2641087985
Opcode ID: 28a99a7d279133977b670663e5dd43802ba0339314adbce1de80012b95f986b6
Instruction ID: f8076fa01862c25fbc21170c7190708f008f91801cbf2dac019033dfaeef2244
Opcode Fuzzy Hash: 28a99a7d279133977b670663e5dd43802ba0339314adbce1de80012b95f986b6
Instruction Fuzzy Hash: 79315C70A00B018BEB31AB79849871F76E4AB54314F15053FE546AB3D2DBBC9884CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405080, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004050B5
FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405156
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?,00000000,?,004FE94D,00000000), ref: 00405192

Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000), ref: 0040502D
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00405033
Part of subcall function 00404FF4: GetStdHandle.KERNEL32(000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 00405048
Part of subcall function 00404FF4: WriteFile.KERNEL32(00000000,000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 0040504E

Strings

P`P, xrefs: 0040508D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: P`P
API String ID: 3490077880-2641087985
Opcode ID: 67745d2a90b6bb3ff316590b602e0cd10b8b3b5cdbec14fdcb65c5cfb318c2aa
Instruction ID: d4573c39f1a0b34f224570e446c2afe9b1c688f2ce670eb66d61aa7b362db06e
Opcode Fuzzy Hash: 67745d2a90b6bb3ff316590b602e0cd10b8b3b5cdbec14fdcb65c5cfb318c2aa
Instruction Fuzzy Hash: 80312D70A00B018BEB31AB76849971F7AE0AF54314F15053FE586AB3D2D77C9884CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004A4BC4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004A4C39
SelectObject.GDI32(?,00000000), ref: 004A4C5C
ReleaseDC.USER32 ref: 004A4C8F

Strings

cMJ, xrefs: 004A4BFE

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ObjectReleaseSelect
String ID: cMJ
API String ID: 1831053106-1712207277
Opcode ID: 6b71cf63299bba1c9cfc14544bc38dc231065f563dac187f4686542547228b00
Instruction ID: 8ca3febb1ab0f4ca3628e4dbf8ad6a543fdc1f83c590c8228c2ae4e78597abcd
Opcode Fuzzy Hash: 6b71cf63299bba1c9cfc14544bc38dc231065f563dac187f4686542547228b00
Instruction Fuzzy Hash: BC21A470E01248EFDB10DFA5C841B9EB3F9EB99314F52846AE404A7282D7B89E00CA59

Uniqueness

Uniqueness Score: -1.00%

Function 004373B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 004373D6

Part of subcall function 0043736C: GetDC.USER32(00000000), ref: 00437375
Part of subcall function 0043736C: SelectObject.GDI32(00000000,058A00B4), ref: 00437387
Part of subcall function 0043736C: GetTextMetricsW.GDI32(00000000,?,00000000), ref: 00437392
Part of subcall function 0043736C: ReleaseDC.USER32 ref: 004373A3

Strings

MS Shell Dlg 2, xrefs: 00437440
Tahoma, xrefs: 004373F8
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0043742C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 2013942131-1011973972
Opcode ID: f5915ef49f0666334897a883be5335ad055b9bc3b399126011555a0ca1a3dff7
Instruction ID: e0ae67a72fd2220e59121ca18970ec0978b29c3944d44ea30f011eceb9cb27e6
Opcode Fuzzy Hash: f5915ef49f0666334897a883be5335ad055b9bc3b399126011555a0ca1a3dff7
Instruction Fuzzy Hash: CC11DDB0604208AFD720EF6ADC4295DBBA9EB59300F91946AF88093B91D738AD05CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 004A9DE8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A9DB8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004A9DD0

LoadLibraryW.KERNEL32(00000000,00000000,004A9EB0,?,00000000,00000000,00000000,00000000), ref: 004A9E3F
LoadLibraryW.KERNEL32(00000000,00000000,00000000,004A9EB0,?,00000000,00000000,00000000,00000000), ref: 004A9E85

Strings

MSFTEDIT.DLL, xrefs: 004A9E2C
RICHED20.DLL, xrefs: 004A9E72

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: LibraryLoad$DirectorySystem
String ID: MSFTEDIT.DLL$RICHED20.DLL
API String ID: 2630572097-3133735514
Opcode ID: dfa4c65e3d936239fe36dfa3fbb332cf940be2b337a184d423423f054646c9da
Instruction ID: a9f132dd17a2b82c4d76cca9c0a579eb9b5eaf10c42bece485a4e9ac59b76b11
Opcode Fuzzy Hash: dfa4c65e3d936239fe36dfa3fbb332cf940be2b337a184d423423f054646c9da
Instruction Fuzzy Hash: E6119070910108DFDB00FFA1D882AAE73B9EB65308F41C97BE500A7693D7786E49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004B0580, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,004B05EB,?,00000001,00000000), ref: 004B05DE

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004B058C
PendingFileRenameOperations2, xrefs: 004B05BF
PendingFileRenameOperations, xrefs: 004B05B0

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 633ada50cbb5e8d618329f40e08504c767cab241233615bf87bb99e2a3fffe4a
Instruction ID: 804ad6ca0943b894b96feb314c15f8beab6de6e5b0984f264e825367721b0471
Opcode Fuzzy Hash: 633ada50cbb5e8d618329f40e08504c767cab241233615bf87bb99e2a3fffe4a
Instruction Fuzzy Hash: D7F06D712042087BEB14D6A69D12A9BB39CD784725F60886BF54486A81EA79ED019A3C

Uniqueness

Uniqueness Score: -1.00%

Function 00460848, Relevance: 6.4, APIs: 4, Instructions: 359COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00460CB8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-0
Opcode ID: 9ec700b3cb7743530922297284542ed004c7e30c035a30f926527527995ac77b
Instruction ID: 7b86f330580d24c5676f6a5729b9b713e574994b2e37c410721b7974a9053e91
Opcode Fuzzy Hash: 9ec700b3cb7743530922297284542ed004c7e30c035a30f926527527995ac77b
Instruction Fuzzy Hash: B2E12230600204DFDB15DFA8C589BAFB7F5EF05314F2441A6E804AB366E778AE45DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0045E480, Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 0045E5FF
MulDiv.KERNEL32(?,?,?), ref: 0045E63A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b5de875d9476425ee5d1d7a97e60a8c037a1b7bca8de3296af04510af2a251
Instruction ID: 5be1a7d65d3e7bbec65ed8cc02008475eeea24c6e4d026fb2131eb66a9c07e63
Opcode Fuzzy Hash: 15b5de875d9476425ee5d1d7a97e60a8c037a1b7bca8de3296af04510af2a251
Instruction Fuzzy Hash: 12D18B70A00609DFCB15CF69C584AAABBF2FF48301F148A5AE856DB356DB34EE05CB10

Uniqueness

Uniqueness Score: -1.00%

Function 004E2074, Relevance: 6.1, APIs: 4, Instructions: 142fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,?,00000000,?,00000000,004E2252,?,00000000,00000000,?,?,004E3575,?,?,00000000), ref: 004E2120
FindClose.KERNEL32(000000FF,000000FF,?,?,00000000,?,00000000,004E2252,?,00000000,00000000,?,?,004E3575,?,?), ref: 004E212D
FindNextFileW.KERNEL32(000000FF,?,00000000,004E2225,?,004E2270,00000000,?,?,00000000,?,00000000,004E2252,?,00000000,00000000), ref: 004E2201
FindClose.KERNEL32(000000FF,004E222C,004E2225,?,004E2270,00000000,?,?,00000000,?,00000000,004E2252,?,00000000,00000000), ref: 004E221F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 3f76bc25102e703e8c2327588f567bdebb219e6656ef44f108ee208093af1094
Instruction ID: 36a0e88ed47ed5a5c9c6a220835a55ad9e2fb1171e9217a1a669a0d379b35c3b
Opcode Fuzzy Hash: 3f76bc25102e703e8c2327588f567bdebb219e6656ef44f108ee208093af1094
Instruction Fuzzy Hash: 8D518071904249AFDF11EFA6CD45ADEB7BCEB08304F1045AAE908A3281D6789F45CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004793CC, Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 00479411
GetDC.USER32(00000000), ref: 00479466
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00479470
ReleaseDC.USER32 ref: 0047947B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID:
API String ID: 3331096196-0
Opcode ID: d5d74c8ca3efa44066210ef010089a58dcc0b90acec5453446a83ae0bd2fe379
Instruction ID: d0959ebf1726b2668cf9b8fb25dc699690e94914cae8e69f49161f1a5ca15aee
Opcode Fuzzy Hash: d5d74c8ca3efa44066210ef010089a58dcc0b90acec5453446a83ae0bd2fe379
Instruction Fuzzy Hash: 3041C4B06012408FD750EF69D8C1B447BE1AB04318F45D1BAE908DF3A3D639AC08CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00443158, Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000BB,?,00000000), ref: 00443194
SendMessageW.USER32(00000000,000000BB,?,00000000), ref: 004431C3
SendMessageW.USER32(00000000,000000C1,00000000,00000000), ref: 004431DF
SendMessageW.USER32(00000000,000000B1,00000000,00000000), ref: 0044320A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fef5ed53fd31a327b844ff8843d04730729e65a09a6991a3f5528ed982a67ded
Instruction ID: 4d174a75eacc8a696d77b554faee4562b2c03e2f9e8e69cf2d99b769e5ad33a4
Opcode Fuzzy Hash: fef5ed53fd31a327b844ff8843d04730729e65a09a6991a3f5528ed982a67ded
Instruction Fuzzy Hash: 2521F8703007456BE710EFA6DC82F5BB2ECEB84B05F20487E7441E76C2DAB89E10852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042BDD0, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 0042BDF1
UnregisterClassW.USER32 ref: 0042BE1A
RegisterClassW.USER32 ref: 0042BE24
SetWindowLongW.USER32 ref: 0042BE6F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 79c0db732e8d308a1803ed9c95c1be72988015461dfd962e98590c7cf2f32bc1
Instruction ID: 44257e4e844b348939103baf6fa14a3357942d68770810eb0762cc7fdd13d0f6
Opcode Fuzzy Hash: 79c0db732e8d308a1803ed9c95c1be72988015461dfd962e98590c7cf2f32bc1
Instruction Fuzzy Hash: CB01A1717445056BCB00EB98EC45FAF33ADE718304F004626FA44E73E1CB7A9C199794

Uniqueness

Uniqueness Score: -1.00%

Function 0047AEC4, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_0007AE10), ref: 0047AEF1
GetWindow.USER32(?,00000003), ref: 0047AF09
GetWindowLongW.USER32(00000000,000000EC), ref: 0047AF16
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_0007AE10), ref: 0047AF55

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: dc46f87aefadf03c832279afaf1de0c6b497e464b5d3ad6a3c82fe943312a327
Instruction ID: 2d5f21eb873434450f0e1e4589335b27ae91d818ecc58bf65364ca7c416f6070
Opcode Fuzzy Hash: dc46f87aefadf03c832279afaf1de0c6b497e464b5d3ad6a3c82fe943312a327
Instruction Fuzzy Hash: 01115A716442109FEB109A28DC85F9A73E4AB44724F24817AFD9CDF2D6C7789C50877A

Uniqueness

Uniqueness Score: -1.00%

Function 00402F1C, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00402FFC,00408E5C,00000000,00408E7E), ref: 00402F3A
VirtualFree.KERNEL32(00508AD0,00000000,00008000,?,00000000,00008000,?,?,?,?,00402FFC,00408E5C,00000000,00408E7E), ref: 00402F97

Strings

l P, xrefs: 00402F4A
,jP, xrefs: 00402F20

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeVirtual
String ID: ,jP$l P
API String ID: 1263568516-2491355162
Opcode ID: b7d25b19b1d040bc7e45151835a1b7e07e6d0c87cb1ae3db7f99725461c928d7
Instruction ID: ccfde0bd53bbbbf31df0cc1884c8b3e79bfdb2c398f7c21764665423015a2374
Opcode Fuzzy Hash: b7d25b19b1d040bc7e45151835a1b7e07e6d0c87cb1ae3db7f99725461c928d7
Instruction Fuzzy Hash: E31165717006019BD7149F059988B2ABEE5E784750F15C07EF209AF3D1D6B9DC019758

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9A8, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32 ref: 004AF9D4
MsgWaitForMultipleObjects.USER32 ref: 004AF9F6
GetExitCodeProcess.KERNEL32 ref: 004AFA07
CloseHandle.KERNEL32(00000001,004AFA34,004AFA2D,?,?,?,00000001,?,?,004AFDD6,?,0000003C,00000000,004AFDEC), ref: 004AFA27

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 02d04c88c0c95989d0c24f47a548bdca4c2924962698a642de4bda368f377a05
Instruction ID: ec98638fec8b4c59f707463353998ef2b7cc20731e6726f35f7d2b9a88429f14
Opcode Fuzzy Hash: 02d04c88c0c95989d0c24f47a548bdca4c2924962698a642de4bda368f377a05
Instruction Fuzzy Hash: E601F570A403047EEB2097E68C06FAB7BACDB5A720F600137F504D32D2D6B88D00C669

Uniqueness

Uniqueness Score: -1.00%

Function 004DEA98, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004DEAB8
GetLastError.KERNEL32 ref: 004DEAC2
GetTickCount.KERNEL32 ref: 004DEACC
Sleep.KERNEL32(00000032), ref: 004DEADC

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: fef8e07291c25c4cc36909ffcf045b16ab0c8792fb5ee196a737891fc8d4154d
Instruction ID: 1e46be7a8cc3b4af5acae25bd8e9ff16efaa17af0cf3f7a25a61c22b9beaa5f2
Opcode Fuzzy Hash: fef8e07291c25c4cc36909ffcf045b16ab0c8792fb5ee196a737891fc8d4154d
Instruction Fuzzy Hash: A7E02BA230924329DA33356F189157F6545DAD2B15F28093FF0C4D6342C81D4D0E512E

Uniqueness

Uniqueness Score: -1.00%

Function 004A0690, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 004A07AE

Part of subcall function 00408D5C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408DA1

Strings

LQH, xrefs: 004A06EF
Variant is null, cannot invoke, xrefs: 004A06E8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: String$FreeLoad
String ID: LQH$Variant is null, cannot invoke
API String ID: 62760895-3362311783
Opcode ID: 3c1b55d4728bb6641ae942a9665213e2b073f7ffe8c31e0f5f0941b2cb154e33
Instruction ID: 4281f03da930e244770ebd361fafc753e52955df40b18311f485a30cc41cdd94
Opcode Fuzzy Hash: 3c1b55d4728bb6641ae942a9665213e2b073f7ffe8c31e0f5f0941b2cb154e33
Instruction Fuzzy Hash: D3C19E74A002099FCB10DFA9C981A9EB7F5FF59314F24803AE804EB351D779AD46CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004B8190, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 004AAC74: SetEndOfFile.KERNEL32(?,?,004B8267,00000000,004B83F9,?,00000000,00000002,00000002), ref: 004AAC7B

FlushFileBuffers.KERNEL32(?,00000080), ref: 004B83C5

Strings

NumRecs range exceeded, xrefs: 004B82BC
EndOffset range exceeded, xrefs: 004B82F3

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 7e5d812b19d55b45ddcdf8411a676ee5abe30c3aba6b6d97c10f39ab4f73f301
Instruction ID: ee00a79579a7ad40b7723e2a7905eded266f5c9248d3b4cea0f408e4ae8acfa2
Opcode Fuzzy Hash: 7e5d812b19d55b45ddcdf8411a676ee5abe30c3aba6b6d97c10f39ab4f73f301
Instruction Fuzzy Hash: 8E616434A002548FCB24DF25C891ADAB7B5FF49304F0444DAE989AB396DB74AEC5CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004D73E0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 004D7576

Strings

DP, xrefs: 004D7532
Inno Setup: Language, xrefs: 004D74B8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: Inno Setup: Language$DP
API String ID: 2492992576-1510822476
Opcode ID: 69695308997ec537a0632b4fed0b97087e6cc79432a7f7aead90144bbb846600
Instruction ID: 46c6b14f10b98dd14d92ccdcbf4993a458a9ea6492aae00aeb7a79143bd3c464
Opcode Fuzzy Hash: 69695308997ec537a0632b4fed0b97087e6cc79432a7f7aead90144bbb846600
Instruction Fuzzy Hash: 136113386045049FC701DF58D4A8E9AB7F2FB89304F2581E6EC099B761EB34ED46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004E0420, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148windowCOMMON

Download Yara Rule

APIs

SendNotifyMessageW.USER32(002A0068,00000496,00002711,-00000001), ref: 004E0648

Strings

H, xrefs: 004E0467, 004E0479
MS PGothic, xrefs: 004E049C, 004E04AF

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessageNotifySend
String ID: MS PGothic$ H
API String ID: 3556456075-689709186
Opcode ID: d302acb5336035e41d9ca051e1be5f1ae645d19136de79bec13a08679331ca6f
Instruction ID: 70a8af17b21394a0c53c4b04d40a4f99bdbf1127fad7a61562f0c4bade8fa5c9
Opcode Fuzzy Hash: d302acb5336035e41d9ca051e1be5f1ae645d19136de79bec13a08679331ca6f
Instruction Fuzzy Hash: 2951CF302001458BDB00FF26ECC5A5E33A1FB94305F5441BBA9149B3A6CBB8DC86DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004D9AC0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,004D9BAC,004D75FA,?,00000001,00000000,00000000,004D9BCA,?,?), ref: 004D9B93

Strings

%s\%s_is1, xrefs: 004D9B3B
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004D9B1D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 94d5b9df6421e1a34229022527724a68be74c9bfa3565f254976db8116c6688c
Instruction ID: 0e036e32b0eee643e748d4c2650ce68e673eb64dcdf1fafbc9949c39ec5037ec
Opcode Fuzzy Hash: 94d5b9df6421e1a34229022527724a68be74c9bfa3565f254976db8116c6688c
Instruction Fuzzy Hash: C231B470A002089FDB00DBA9DC62AAEB7F8FB49304F51407BE504F7381D779AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 004AE274, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AE369,?,00000000,0050B17C,00000003,00000000,00000000,?,004DE8D3,00000000,004DE9FE), ref: 004AE2BC
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AE369,?,00000000,0050B17C,00000003,00000000,00000000,?,004DE8D3,00000000,004DE9FE), ref: 004AE2C5

Strings

.tmp, xrefs: 004AE2A5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 8d46f03f04181f887e1aea6bd12de31051f987ab0511ce3a3f5796ca2d42f865
Instruction ID: 59cf80837acadacf4dd19d02b3c6e15e9a136b542cc0164b9d731fa9c604ed4c
Opcode Fuzzy Hash: 8d46f03f04181f887e1aea6bd12de31051f987ab0511ce3a3f5796ca2d42f865
Instruction Fuzzy Hash: 8D218B75A002089FDB00EBA5C842ADFB3F9EB59304F50457BF911B7741DB389E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004AFD08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 004AFDA4
GetLastError.KERNEL32(0000003C,00000000,004AFDEC,?,?,?,00000001), ref: 004AFDB3

Part of subcall function 0047F740: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047F753

Strings

<, xrefs: 004AFD5E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: fcfa3f4f959bdf9aecbb664bd5ab3efb0ef4f16f8cabe7cfa69f7ca5fcad8844
Instruction ID: 3c7b03c30f4542251b30dd8d0e59a6afeec316a7cea4a72053c97f8f1a68169e
Opcode Fuzzy Hash: fcfa3f4f959bdf9aecbb664bd5ab3efb0ef4f16f8cabe7cfa69f7ca5fcad8844
Instruction Fuzzy Hash: 6A217C709002589FDB11EFA5C882ADE7BE8AF19344F50003BF845E7291E73899558B98

Uniqueness

Uniqueness Score: -1.00%

Function 004AD01C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 004AD070
GetLastError.KERNEL32(00000000,00000000,?,?,?,004B3204,00000000,1K,?,00000000,00000000,004AD096,?,?,00000000,00000001), ref: 004AD078

Strings

1K, xrefs: 004AD056, 004AD059

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: 1K
API String ID: 2919029540-3277982518
Opcode ID: 144662c0b0594d9c35e36e100f5b20ad1331b1d9b05d041d054b4059bdf404b0
Instruction ID: 27121663f750f90800333315159ebe3e6f3250123c95a32b13b6f8b2a9e53e98
Opcode Fuzzy Hash: 144662c0b0594d9c35e36e100f5b20ad1331b1d9b05d041d054b4059bdf404b0
Instruction Fuzzy Hash: B4117C72A04208AF8B50CEA9DC81DDF77ECEB8E314B504566F918D3641DA38ED1187A4

Uniqueness

Uniqueness Score: -1.00%

Function 00470BFC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00470C53
EnumThreadWindows.USER32(00000000,00470BAC,00000000), ref: 00470C59

Strings

W3K, xrefs: 00470C9D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID: W3K
API String ID: 2396873506-2211912719
Opcode ID: 5407122a50f12af186fd797ae979ed9efde204bb6f4d7b2e98164dea3d88b7c9
Instruction ID: 0c64724396f852626b1d1ba3a4eefb00f80bcf4b64300bdf5b79b1880e5323f7
Opcode Fuzzy Hash: 5407122a50f12af186fd797ae979ed9efde204bb6f4d7b2e98164dea3d88b7c9
Instruction Fuzzy Hash: D3119E70A09740EFE31ACF36DD10A4ABBECFB99714F218576E804E3361EB345E089A14

Uniqueness

Uniqueness Score: -1.00%

Function 00480D4C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 00480DC4

Part of subcall function 0047F740: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047F753

Part of subcall function 00413C38: SetErrorMode.KERNEL32(00008000,?), ref: 00413C42
Part of subcall function 00413C38: LoadLibraryW.KERNEL32(00000000,00000000,00413C8C,?,00000000,00413CAA,?,00008000,?), ref: 00413C71

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

SHAutoComplete, xrefs: 00480DA1
shlwapi.dll, xrefs: 00480D84

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: 4217438cb196449aaf692266dfd182b2e53cfb1efeed1fad7fe7980307e832a2
Instruction ID: f9a17cf6751b6d8d0dfc75ccfce423406b49bb0c2e2d158275f503a9d5ed9283
Opcode Fuzzy Hash: 4217438cb196449aaf692266dfd182b2e53cfb1efeed1fad7fe7980307e832a2
Instruction Fuzzy Hash: D301D230614308AFE790FBA1DC92F9E77ECEB45708F50487AE40062691D7B8AD4CCB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A124, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 0040A163

Strings

TWindowDisabler-Window, xrefs: 0040A161
W3K, xrefs: 0040A13D, 0040A140

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateWindow
String ID: TWindowDisabler-Window$W3K
API String ID: 716092398-2310209281
Opcode ID: 525154ca484f26252d46408543c51958e5444091af8ab4db31887610460425bf
Instruction ID: f482a91b61e37fa524220f56b4221b3e08f072a29bcffce70241aac4ef41fcfc
Opcode Fuzzy Hash: 525154ca484f26252d46408543c51958e5444091af8ab4db31887610460425bf
Instruction Fuzzy Hash: 9CF097B2600118BF8B40DE9DDC81DDF77ECEB4D265B054129FA0CE7201D634ED1087A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042DA8C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042DAEE

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(77400000,00000000), ref: 0042DA08

KiUserCallbackDispatcher.NTDLL ref: 0042DAB4

Strings

GetSystemMetrics, xrefs: 0042DA9C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 0a22105e880c12680412c353e7a1e70c8679e61f69015108c203138733f47b24
Instruction ID: 3c8ac70bac4857bcc7f9e7fc69a6e8620fde02ef0d95847c6b6124ab5750cff9
Opcode Fuzzy Hash: 0a22105e880c12680412c353e7a1e70c8679e61f69015108c203138733f47b24
Instruction Fuzzy Hash: 48F03070F2C2A05ACB105A34FC89E27395AA796334FE04737E512962D5C6BD9C49E31E

Uniqueness

Uniqueness Score: -1.00%

Function 004797F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 00479805
LoadCursorW.USER32(00000000,00000000), ref: 00479837

Strings

8=P, xrefs: 00479815

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CursorLoad
String ID: 8=P
API String ID: 3238433803-3568989296
Opcode ID: d6daad5523d3a7c520d40e65917cf2ba34bd3de270a223e33dc55c1c351908dc
Instruction ID: 9a11a810e5521d7f9341e0e65e822e2c76b295f3ddaed8bec4abe59de2850128
Opcode Fuzzy Hash: d6daad5523d3a7c520d40e65917cf2ba34bd3de270a223e33dc55c1c351908dc
Instruction Fuzzy Hash: 7EF08261B016041ADA20653E8CD0EBE73989FC3774F25433BF97DCB2D1C6391C0651AA

Uniqueness

Uniqueness Score: -1.00%

Function 004394E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(DWMAPI.DLL,?,?,?,00478BCD), ref: 00439512

Strings

DWMAPI.DLL, xrefs: 0043950D
DwmExtendFrameIntoClientArea, xrefs: 0043952A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: LibraryLoad
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 1029625771-2956373744
Opcode ID: f1c5f01dccdcd0255f15f3f41d9913487896009a41f4e6cfb11590aefadda4c3
Instruction ID: 2533bf740d6d0fef060d160b55d48e6167c81621efa87fb8f56eccf84f4b3c06
Opcode Fuzzy Hash: f1c5f01dccdcd0255f15f3f41d9913487896009a41f4e6cfb11590aefadda4c3
Instruction Fuzzy Hash: 36F036B2601310BFE7215B69ACDCB4F3694975C315F10543BAA1A92362D7BC0DCCDB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004DE1CC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,004DE54B,00000000,004DE566,?,00000005,00000000,00000000,?,004FCCF4), ref: 004DE22E

Strings

RegisteredOrganization, xrefs: 004DE21D
RegisteredOwner, xrefs: 004DE20B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 9bc07153b2093205bd48c25e6caea6f949c307c74a5f5fae88d46469a52a7934
Instruction ID: 51872a4b968b3c8950a996b6790c7adbb9f0015cbe27227cdba7499fa3368a13
Opcode Fuzzy Hash: 9bc07153b2093205bd48c25e6caea6f949c307c74a5f5fae88d46469a52a7934
Instruction Fuzzy Hash: F0F0F030704148AFE708E296CDA6BAE77A8A702304F60007BF6005F3C1C6789E059B48

Uniqueness

Uniqueness Score: -1.00%

Function 0042E8C0, Relevance: 4.6, APIs: 3, Instructions: 144registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0042EA71), ref: 0042E939
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,0042EA71), ref: 0042E9A9
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 0042EA14

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c6a256ca2b77c0eb849fd58c5bc524bfa4762c6abff35eb9cc59e4513da43c38
Instruction ID: 4836d1a53404c84c73cf0765aeaaeed8c68258d9f2bc58b5e3cafa5e6262cb3c
Opcode Fuzzy Hash: c6a256ca2b77c0eb849fd58c5bc524bfa4762c6abff35eb9cc59e4513da43c38
Instruction Fuzzy Hash: A741B370F00218AFDB11EBA6D842B9EB7FAAF44344F95447AB845E3282C7399F059748

Uniqueness

Uniqueness Score: -1.00%

Function 00426344, Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,0042648C,?,?,004214C8,00000001), ref: 004263A0
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,0042648C,?,?,004214C8,00000001), ref: 004263CE

Part of subcall function 0040D55C: CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,004214C8,0042640E,00000000,0042648C,?,?,004214C8), ref: 0040D5AA

Part of subcall function 0040D814: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,004214C8,00426429,00000000,0042648C,?,?,004214C8,00000001), ref: 0040D833

GetLastError.KERNEL32(00000000,0042648C,?,?,004214C8,00000001), ref: 00426433

Part of subcall function 00410F70: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,004214C8,00426440,00000000,0042648C,?,?,004214C8,00000001), ref: 00410F8F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: dd1b9a618d8533b8af7f3b72c91dfd7eeff70768070e7b94b4bca550a507f678
Instruction ID: 207c32289ed3582f34b3c45b8b5ed7144cd3c487ec8e13a5d1f2876b7d7034a6
Opcode Fuzzy Hash: dd1b9a618d8533b8af7f3b72c91dfd7eeff70768070e7b94b4bca550a507f678
Instruction Fuzzy Hash: E4318270B002189FDB10EFA98C42ADEB7F0AB48318F51816AF914A73C2D7795D458AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041253C, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00412612), ref: 0041257E
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125B3
VerQueryValueW.VERSION(?,00412624,?,?,00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125CD

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: 8c5b856bdecb927ff9b1633c14641042daf61aaa873bbbc593e755ba72af7f68
Instruction ID: 8597d6c3fb7c4a3ec38beb6f047540a6cae548e5be3745bac87735c7989b36e7
Opcode Fuzzy Hash: 8c5b856bdecb927ff9b1633c14641042daf61aaa873bbbc593e755ba72af7f68
Instruction Fuzzy Hash: B9215671A10609AFDB01EFA5CD9189EB7FDEB483047514476B400E3691D778EE54D728

Uniqueness

Uniqueness Score: -1.00%

Function 004ACCD8, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,?,?,?), ref: 004ACCF8
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,004ACD73,?,00000000,?,?,?,?), ref: 004ACD25
VerQueryValueW.VERSION(?,004ACD9C,?,?,00000000,?,00000000,?,00000000,004ACD73,?,00000000,?,?,?,?), ref: 004ACD3F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: bef84ca1fdb68ace35b2475b7fe7e5d1a8b99fc2633aefe85f8831ca9cab25bc
Instruction ID: 7bcec5a31399786b62bbc89f378cb89d298648ad0954409e3809339a02107faa
Opcode Fuzzy Hash: bef84ca1fdb68ace35b2475b7fe7e5d1a8b99fc2633aefe85f8831ca9cab25bc
Instruction Fuzzy Hash: FA219271A00108AFDB01DAA9CC819BFBBFCEB5A340F1544BAF904E3391D6789E048769

Uniqueness

Uniqueness Score: -1.00%

Function 004168A8, Relevance: 4.6, APIs: 3, Instructions: 52COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004168B7

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7e641f5b127e955b133f8a194be8cb1ce950b31da11643afeb38f4b76e997575
Instruction ID: 1a7a91c0e98274912d59047310f67d0e83e4375cd5ec790c14011d6e9edbc5a1
Opcode Fuzzy Hash: 7e641f5b127e955b133f8a194be8cb1ce950b31da11643afeb38f4b76e997575
Instruction Fuzzy Hash: BA01B1F4A21210978B107B3ACA856FA22999F41318B62407FF4825F256CB3CCCC6932F

Uniqueness

Uniqueness Score: -1.00%

Function 004017F8, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401E07,?,00401ADA), ref: 0040180E

Strings

,jP, xrefs: 00401817, 00401825
,jP, xrefs: 0040181F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AllocVirtual
String ID: ,jP$,jP
API String ID: 4275171209-4000528981
Opcode ID: 5d1f62ad247cbe67ca2a105773c48f0b04cd6e470e57aae5a891e4acb4eadd7e
Instruction ID: 03b0546ac705445d345df6d4e88d4e8d7795d62d4a8be454eee869accf12312c
Opcode Fuzzy Hash: 5d1f62ad247cbe67ca2a105773c48f0b04cd6e470e57aae5a891e4acb4eadd7e
Instruction Fuzzy Hash: 9AF049B1B513008BDB15AF799D4130A7AD2F789308F10C13DEA09EB7A9E77584169B00

Uniqueness

Uniqueness Score: -1.00%

Function 00470BAC, Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00470BBC
IsWindowEnabled.USER32(?), ref: 00470BC6
EnableWindow.USER32(?,00000000), ref: 00470BEC

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: d46501bebeafc00ff47df9b4d363ff1e99f8e84b38ac06fc1bffa94e40175278
Instruction ID: 80d53781af6986638e65c2b265dd878f3218a2623050f52a722c61257d06fa87
Opcode Fuzzy Hash: d46501bebeafc00ff47df9b4d363ff1e99f8e84b38ac06fc1bffa94e40175278
Instruction Fuzzy Hash: 26E0E5701452005AE710AF7BDDC2A1AB79CBF54354F50892AB848A73D3DE79FD045664

Uniqueness

Uniqueness Score: -1.00%

Function 004DEAEC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004DEB34

Strings

Failed to remove temporary directory: , xrefs: 004DEB56

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory:
API String ID: 536389180-3544197614
Opcode ID: 98102c6bfe12c1258edce4093c68e890a5e1512f32f262f8eca0fab212b82af6
Instruction ID: ddcbb1fea0bb7c9573b253c4432bfb2de283da0c1f1240de396d6096143e72dc
Opcode Fuzzy Hash: 98102c6bfe12c1258edce4093c68e890a5e1512f32f262f8eca0fab212b82af6
Instruction Fuzzy Hash: 0101B130240244AAEB11FB729C62B6E7394AB45704FA1086BF501AB3D2DA7DB900E62C

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB8C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0042EBB7

Strings

dB, xrefs: 0042EBD5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: QueryValue
String ID: dB
API String ID: 3660427363-590823066
Opcode ID: 52cb6ea2ced2a5a1396db003c4c2600be03dc10ad460797b8b9a14827d6d0897
Instruction ID: 5c887d05631a9ac41c9f00d23c65e0dd69f09361cc4cd1948589aa337c31ba86
Opcode Fuzzy Hash: 52cb6ea2ced2a5a1396db003c4c2600be03dc10ad460797b8b9a14827d6d0897
Instruction Fuzzy Hash: 95017175B00208ABCB00DF9ADC819DEB7ACEB49314F008166BA14DB241D6349E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004DE118, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,004DE361,00000000,004DE566,?,00000005,00000000,00000000), ref: 004DE15F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004DE12D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 40eaa714a09d6aa2c46a542be27fb984c7d58689b4ee053f27923cefaaf54fb1
Instruction ID: 83b4fab351944d4948ac6edfbad87f9e26a75af5648e35d8e82f5e6684b56936
Opcode Fuzzy Hash: 40eaa714a09d6aa2c46a542be27fb984c7d58689b4ee053f27923cefaaf54fb1
Instruction Fuzzy Hash: 2AF0AE31700218ABE714B56B5D52BAF929DDBC4758F10403FB905DB385D979DD01036D

Uniqueness

Uniqueness Score: -1.00%

Function 0042EA94, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,0042EAF8), ref: 0042EAC6

Strings

MS Shell Dlg 2, xrefs: 0042EA95, 0042EA97

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: 40a7df6b1877300fbe6f727ca26aad6b5d6b094b76c2ac120af44f21f87671ee
Instruction ID: 237bdefa9337fd205bb120acb75056f6f03b30abdaa8b8f0a3c36c1784ac65f3
Opcode Fuzzy Hash: 40a7df6b1877300fbe6f727ca26aad6b5d6b094b76c2ac120af44f21f87671ee
Instruction Fuzzy Hash: 60F030763092547BD704EA6E9C81FABBBDCDB88755F01803EBA48C7681DA34DD058379

Uniqueness

Uniqueness Score: -1.00%

Function 0047FD20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0047FD3A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Open
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 71445658-1109908249
Opcode ID: e415bd2220768e8af6e5cac5480c8a33a3be2fcb2cc2fd5fa2f53e739a7e44d1
Instruction ID: fd9ded6d5f70eb0e81e331f2c2859044cc9f18ec4a999d0d4e7199f5a9835539
Opcode Fuzzy Hash: e415bd2220768e8af6e5cac5480c8a33a3be2fcb2cc2fd5fa2f53e739a7e44d1
Instruction Fuzzy Hash: BCD0C97295022DBBDB109A89DC81DFBB79DDB19360F40842AFE0897241C2B8FC518BF4

Uniqueness

Uniqueness Score: -1.00%

Function 004AEA0C, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,004AEC36,?,00000000,004AECAA,?,?,?,004B75D0,00000031,004B5D90,004B5D84,00000000,00000000), ref: 004AEC12
FindClose.KERNEL32(000000FF,004AEC3D,004AEC36,?,00000000,004AECAA,?,?,?,004B75D0,00000031,004B5D90,004B5D84,00000000,00000000,00000000), ref: 004AEC30

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: d3bf648ec0ec7326cbd6512e93b54dfcd63a853f8d1d0453b4f28266a034d1ae
Instruction ID: 989a3710816763b533bc540e75a098019a20e380c64239cef77bf36aecf21cc6
Opcode Fuzzy Hash: d3bf648ec0ec7326cbd6512e93b54dfcd63a853f8d1d0453b4f28266a034d1ae
Instruction Fuzzy Hash: F381A0709082889FDF21DFA6C4857EEBBB5AF56304F1481ABE86563381C3389F45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00425C80, Relevance: 3.1, APIs: 2, Instructions: 126COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000400,00000000,00000000,?,00000000,?), ref: 00425D28
CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?), ref: 00425DB6

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 2e8860ad94cbe6b06da031b23563a88317132d7d40d73736365a3b8ad21801ab
Instruction ID: d886172ca38c2f35932a46a5eb0f5a325f8bc4ae031ddc8a8be8c980502e7438
Opcode Fuzzy Hash: 2e8860ad94cbe6b06da031b23563a88317132d7d40d73736365a3b8ad21801ab
Instruction Fuzzy Hash: 7A41CD30B00A25ABDB21DE75E886BAF73E9AF44704F918076E900B7385D678ED418A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0047FAFC, Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,0047FC34,?,004E0678,00000000,00000000), ref: 0047FB38
RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,0047FC34,?,004E0678), ref: 0047FBA8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3952c222326fdbd1c849a4e9494737835ba4abaf571a385d1af7d3bd6b945def
Instruction ID: 7a36ed184defeb1ce017c9a4bd8613152d0ff6d7255023b2078b31953f174b5a
Opcode Fuzzy Hash: 3952c222326fdbd1c849a4e9494737835ba4abaf571a385d1af7d3bd6b945def
Instruction Fuzzy Hash: 9E414E71900119AFDB11DB95C991AEFB3B8FB04704F51847AE805F7280D738AE499BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0047C4DC, Relevance: 3.1, APIs: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0047C5B8
SetWindowLongW.USER32 ref: 0047C5C6

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9468270469e0feec7c86800f3f050b332eeb819bcdde524564b8ce0ee2a1d03e
Instruction ID: 0544ea898a551e1a11e9400c7a2959c2b0bb2bd8ff33ff6c69717cd66fc96442
Opcode Fuzzy Hash: 9468270469e0feec7c86800f3f050b332eeb819bcdde524564b8ce0ee2a1d03e
Instruction Fuzzy Hash: F3413E70A04204EFDB10DF69C980A99B7F5EB49314F2186FAF8149B3A2D739AE41CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00475CD8, Relevance: 3.1, APIs: 2, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00475DF3
EnumThreadWindows.USER32(00000000,Function_00075C94,?), ref: 00475DF9

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: e1ba568b4748bd54d9dae6f77191e13192941e663547b1c7dc0192042840e0fd
Instruction ID: 78db1d5ca89ed4e75a1ec47d96514c47f4be6606423ec87fed2eb823eea2cc00
Opcode Fuzzy Hash: e1ba568b4748bd54d9dae6f77191e13192941e663547b1c7dc0192042840e0fd
Instruction Fuzzy Hash: AE31EC34A01648DFCB51DF99C589B9DB7F5EF44304F6580AAA808AB362D778AF40DB44

Uniqueness

Uniqueness Score: -1.00%

Function 004485C8, Relevance: 3.1, APIs: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045F97C: GetClassInfoW.USER32 ref: 0045FA4C
Part of subcall function 0045F97C: UnregisterClassW.USER32 ref: 0045FA77
Part of subcall function 0045F97C: RegisterClassW.USER32 ref: 0045FA96
Part of subcall function 0045F97C: GetWindowLongW.USER32(00000000,000000F0), ref: 0045FAD2
Part of subcall function 0045F97C: GetWindowLongW.USER32(00000000,000000F4), ref: 0045FAE7
Part of subcall function 0045F97C: SetWindowLongW.USER32 ref: 0045FAFA

SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014,?,?,?,004A676A,00000000,004A6781), ref: 004485F0
SendMessageW.USER32(00000000,00000192,00000001,00000000), ref: 00448614

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$ClassLong$InfoMessageRegisterSendUnregister
String ID:
API String ID: 3941102255-0
Opcode ID: 358f188d36b6f72e2e7aa43ad1287d7a82b1ea6f1be18e7a88afee833773360f
Instruction ID: fc004faba9f57c35fca83aea12363dfc2cc44bc3ef427258b11d0ab13290aa04
Opcode Fuzzy Hash: 358f188d36b6f72e2e7aa43ad1287d7a82b1ea6f1be18e7a88afee833773360f
Instruction Fuzzy Hash: 33210C703002015BEB40AE69C8C9B9A33A9AF46314F1845BEBD19DF397DA79DC058B69

Uniqueness

Uniqueness Score: -1.00%

Function 004FB0AC, Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 004FAAD8: GetDC.USER32(00000000), ref: 004FAAE9
Part of subcall function 004FAAD8: SelectObject.GDI32(00000000,00000000), ref: 004FAB0B
Part of subcall function 004FAAD8: GetTextExtentPointW.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004FB0E7), ref: 004FAB1F
Part of subcall function 004FAAD8: GetTextMetricsW.GDI32(00000000,?,00000000,00000000,00000000,004FAB64,?,00000000,?,?,00000000), ref: 004FAB41
Part of subcall function 004FAAD8: ReleaseDC.USER32 ref: 004FAB5E

MulDiv.KERNEL32(?,?,00000006), ref: 004FB129
MulDiv.KERNEL32(?,?,0000000D), ref: 004FB13E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Text$ExtentMetricsObjectPointReleaseSelect
String ID:
API String ID: 844173074-0
Opcode ID: c13218de36478451debd82be05b67707a097a1b08b5da345554bf9a4a745a886
Instruction ID: 2f44681a457c6414d6ab08c1d6e70eaf567b920507f39177db822d0e48a3e07d
Opcode Fuzzy Hash: c13218de36478451debd82be05b67707a097a1b08b5da345554bf9a4a745a886
Instruction Fuzzy Hash: A52145713002009FD750EE28C885B6673E9EB89204F1481B9FE18CF39ADA35ED088BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AD0B4, Relevance: 3.0, APIs: 2, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00000000,?,00000000,004AD120), ref: 004AD0FA
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AD120), ref: 004AD102

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CopyErrorFileLast
String ID:
API String ID: 374144340-0
Opcode ID: 0efc11a423056216d01c47979f2aac7580e6da8d595d746c76c7ab62e924dd58
Instruction ID: 949b9b743d898d9f5e247d7e4661de91bb216cd9ebfa1e574f40688057b4b902
Opcode Fuzzy Hash: 0efc11a423056216d01c47979f2aac7580e6da8d595d746c76c7ab62e924dd58
Instruction Fuzzy Hash: EF01A271E04208AFCB01DF7A9C4289EB7E8DB5A314B51457BF805E3681EA399E1196AC

Uniqueness

Uniqueness Score: -1.00%

Function 0047EED0, Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0047EF06
WriteProfileStringW.KERNEL32(00000000,00000000,00000000), ref: 0047EF2C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ProfileStringWrite$Private
String ID:
API String ID: 3244626871-0
Opcode ID: 92531002ace527cbd9e4c264261d0349202eab04c2c2e3f9491b9a149c984776
Instruction ID: feb2d681cbdc0f6f5edc1365b39a009fa76facc7a9b65a7d24a54996539b13f6
Opcode Fuzzy Hash: 92531002ace527cbd9e4c264261d0349202eab04c2c2e3f9491b9a149c984776
Instruction Fuzzy Hash: D5F01D72B141247AC600F7AF9C82D5E72DC9A4965C712853BF00AF3653DA39DD11536D

Uniqueness

Uniqueness Score: -1.00%

Function 004AD4B8, Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 004AD4FA
GetLastError.KERNEL32(00000000,00000000,00000000,004AD520), ref: 004AD502

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 40dcd38b6126bba2bdf28cbbf49bf5d0dfe94b76dc1c8009f26cad7e8743dce4
Instruction ID: b3bac48d4572646c71f9298e72213bb2c6d0f1a99259b82d27b7b90f86b4c5ed
Opcode Fuzzy Hash: 40dcd38b6126bba2bdf28cbbf49bf5d0dfe94b76dc1c8009f26cad7e8743dce4
Instruction Fuzzy Hash: 23018671E04308BFCB11EF7A9C4249EB7E8DB5E718751457BF809E3681EA385D10459C

Uniqueness

Uniqueness Score: -1.00%

Function 004ACFA4, Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,004AD003), ref: 004ACFDD
GetLastError.KERNEL32(00000000,00000000,00000000,004AD003), ref: 004ACFE5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: afdc86d441679bcb250b81918ffd40fa8a6a85cb49793413baf7553182217538
Instruction ID: 78a90aed5d61c595d9e7cc36cabfc332a8f811876a5a55e0602512ffd90581c8
Opcode Fuzzy Hash: afdc86d441679bcb250b81918ffd40fa8a6a85cb49793413baf7553182217538
Instruction Fuzzy Hash: 12F0C831E08208BFDB11DF759C4159EB7E8DB0A318F5145B7F805E3681EA394E015698

Uniqueness

Uniqueness Score: -1.00%

Function 004AD13C, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,004AD199,?,?,?,?,?,?,?,?,?,?,004B6184,00000000,004B62D8), ref: 004AD173
GetLastError.KERNEL32(00000000,00000000,004AD199,?,?,?,?,?,?,?,?,?,?,004B6184,00000000,004B62D8), ref: 004AD17B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: ecd4ea5eb32dad88567bdcff1c9705804462c046486e3b24e5a66aa0a17d47f1
Instruction ID: fada9f75f5d46744ff166ff1eb3387bf1aa3b7e01ab9fd3244394715a0c2f296
Opcode Fuzzy Hash: ecd4ea5eb32dad88567bdcff1c9705804462c046486e3b24e5a66aa0a17d47f1
Instruction Fuzzy Hash: 7EF0C831E04308AFDB01EB759C4149DB3E8DB4A71479149BBF805E3781EA3C5D104698

Uniqueness

Uniqueness Score: -1.00%

Function 004AD648, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(00000000,00000000,004AD6A5,?,?), ref: 004AD67F
GetLastError.KERNEL32(00000000,00000000,004AD6A5,?,?), ref: 004AD687

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 1efc10c41cdde54fc9ef5604848f0ceffb7946df6dc08f05c4d0363e9bfe1d63
Instruction ID: c606c186da66a0fe5591713a000fee8cc24042f3939372258aab45a51535bacf
Opcode Fuzzy Hash: 1efc10c41cdde54fc9ef5604848f0ceffb7946df6dc08f05c4d0363e9bfe1d63
Instruction Fuzzy Hash: 58F0C271E04208AFCB01EFB59C4149EB3E8DB5A71875145BBF809E3A81EA7D5E10469C

Uniqueness

Uniqueness Score: -1.00%

Function 004AD314, Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,004AD373,?,?), ref: 004AD34D
GetLastError.KERNEL32(00000000,00000000,004AD373,?,?), ref: 004AD355

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 275f88bdd7697618bd3ed83563a243da64947c3c8e173cffa3e20aff4ac8fdad
Instruction ID: f24b8212ab7aa78279da42d795c508f07b68c2eece6d8624d4bc7f242ece3848
Opcode Fuzzy Hash: 275f88bdd7697618bd3ed83563a243da64947c3c8e173cffa3e20aff4ac8fdad
Instruction Fuzzy Hash: 55F0A471E04608AFCF11DF759C4149DB3A8EB0A32475146B7B815A3AC1EA385E008699

Uniqueness

Uniqueness Score: -1.00%

Function 00409620, Relevance: 3.0, APIs: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 00409644
GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d61bc043881c8c6bfe79b771c95475ab84ff338248c778fc4aa88fc9623a2036
Instruction ID: c89d22e9b9c93429c76f39329f2b2da4a35d652da9e9d6d2370a618858152621
Opcode Fuzzy Hash: d61bc043881c8c6bfe79b771c95475ab84ff338248c778fc4aa88fc9623a2036
Instruction Fuzzy Hash: 76F09630304608BFD701DA65CC52E6F779CDB8D714F910877F800B72C2D6796E008968

Uniqueness

Uniqueness Score: -1.00%

Function 00413C38, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000,?), ref: 00413C42
LoadLibraryW.KERNEL32(00000000,00000000,00413C8C,?,00000000,00413CAA,?,00008000,?), ref: 00413C71

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 22cdac0ea3864d1c9fc14794b3611bfb054c473a339b1bdcfc5bbffd66b44375
Instruction ID: c33b5ee54a125df8a5f962db831c7c4dc245aa6e85e185c06cca69ab3386a9d6
Opcode Fuzzy Hash: 22cdac0ea3864d1c9fc14794b3611bfb054c473a339b1bdcfc5bbffd66b44375
Instruction Fuzzy Hash: 6EF08975514744BEDF019F768C5245ABBECE709B0575344B6F800A2991F53C4910C664

Uniqueness

Uniqueness Score: -1.00%

Function 0047BF28, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0047BF58
SetWindowTextW.USER32(?,00000000), ref: 0047BF6E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: cc630a67aeced55246b47f80a926e095c4216094bd560cf0a947ee2c7436e7f5
Instruction ID: 7d00a6810dcca363eae9ffb52ff6539818c34ce04cf4287199015802695cfbf5
Opcode Fuzzy Hash: cc630a67aeced55246b47f80a926e095c4216094bd560cf0a947ee2c7436e7f5
Instruction Fuzzy Hash: 46F03760704614AADB12EA794885BD62298AF08704F48C0B7FD4CDF39BCB7D885747AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042E82C, Relevance: 3.0, APIs: 2, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegFlushKey.ADVAPI32(00000000,?,0042E898,?,?,00000000,0042EA5B,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0042E83D
RegCloseKey.ADVAPI32(00000000,?,0042E898,?,?,00000000,0042EA5B,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0042E846

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseFlush
String ID:
API String ID: 320916635-0
Opcode ID: 16a93b3161b14499929432f6e7b2f7e46b5f1e358ba0c03c6b2a6c7e8b8821db
Instruction ID: a75c305c6264e109eefdb3ee3159a7ab521904fd26116d3b11111d4de8dffc1f
Opcode Fuzzy Hash: 16a93b3161b14499929432f6e7b2f7e46b5f1e358ba0c03c6b2a6c7e8b8821db
Instruction Fuzzy Hash: 2EE0EC607042018BDF54EE7685C560766D85B08304B48C4ABA908DF28BDA78C8048B24

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE84, Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 0042BE8B
DestroyWindow.USER32(00000000,00000000,000000FC,?,?,004B2092,004FDD69), ref: 0042BE93

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: bce059e2e4f78d9ea124644dc8f52c56365baf76b2a7ddb240b69cd998c2f22f
Instruction ID: 93658432f59506ad1e570a0202503e38594b708589f4a020ba05f7c75e81cbd9
Opcode Fuzzy Hash: bce059e2e4f78d9ea124644dc8f52c56365baf76b2a7ddb240b69cd998c2f22f
Instruction Fuzzy Hash: ECC0125132213026DA10316A3CC28EF124CC8863793A0023BFA20A62D3CB2C4D4002EE

Uniqueness

Uniqueness Score: -1.00%

Function 00471BB0, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

FlatSB_SetScrollInfo.COMCTL32(00000000,0000001C,0000001C,000000FF,?,?,?), ref: 00471C73

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FlatInfoScroll
String ID:
API String ID: 3347635785-0
Opcode ID: 0b8e56398f003af2e37094571e4d2350b2c0b456a7a3a603069d487ec9884b64
Instruction ID: 504ac3d58b6b0d1a76c6eb64e7d17d5e211bc9fec583fb1852865caf7763fc92
Opcode Fuzzy Hash: 0b8e56398f003af2e37094571e4d2350b2c0b456a7a3a603069d487ec9884b64
Instruction Fuzzy Hash: AF418874A041448FD764CFADC080E9ABBF2AF58300F2485AEE488D7362D239EA04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00443558, Relevance: 1.6, APIs: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A124: CreateWindowExW.USER32 ref: 0040A163

SendMessageW.USER32(00000000,000000CF,00000001,00000000), ref: 004435DC

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateMessageSendWindow
String ID:
API String ID: 304178485-0
Opcode ID: 573815f196507e6d036a7a0ecdccbab3dd7e1bd8fd436307ee9a42e3f2bce8ce
Instruction ID: e11c52fda4a27f151a50197d1ac5bd46fc7fc6e0f52adff070f030d935c3b23c
Opcode Fuzzy Hash: 573815f196507e6d036a7a0ecdccbab3dd7e1bd8fd436307ee9a42e3f2bce8ce
Instruction Fuzzy Hash: 9031E7B2200200AFEB55CF5DD8C1F6777EDEB48700F5584A9BA09CB296D678ED14CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00469970, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00469A4B,?,?,?,?,?,?,0045E76F,00000001,00000000,00000000), ref: 00469A1E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3a561c3a29907f50821656d42ea964113cf6dca45ace4f921fe87d9dd1b3d9ce
Instruction ID: 33dd6183825d76350a8a11f92c63a114718b24044ad024c6769659ae42eb07a6
Opcode Fuzzy Hash: 3a561c3a29907f50821656d42ea964113cf6dca45ace4f921fe87d9dd1b3d9ce
Instruction Fuzzy Hash: 8B313A35704244EFDB04CF58D594A9ABBFAEF88310F29C1A9E8088B356DB74ED05DB15

Uniqueness

Uniqueness Score: -1.00%

Function 004230E4, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000000,0000000A,?,108B0050,00000000,00423381,?,004232B0,00000000,004232C8,?,0000FFA6,00000000,00000000), ref: 00423106

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 8185a077245d37cbe22f8d035410122bef49fceb3b2227ad57302fe8e657a3e0
Instruction ID: 4a3a1da4f905cbffce5b1b6ee0bf98fadfa2f2fcfee68d73e4c187ddbaafb2a9
Opcode Fuzzy Hash: 8185a077245d37cbe22f8d035410122bef49fceb3b2227ad57302fe8e657a3e0
Instruction Fuzzy Hash: 3901F271304310AFD710EF6AEC9293AB7EDEB89714792403AF604D7391DA7A9C169628

Uniqueness

Uniqueness Score: -1.00%

Function 004AA208, Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000435,00000000,7FFFFFFE), ref: 004AA263

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 95f48fe79b7f0070c44aa0da5875e089468e44ca8ab7114b4da0b454f3a5638f
Instruction ID: 3ab67592e975b4b0c91210ecba32422d82d2f45fb3d2042fb05e181c8722349b
Opcode Fuzzy Hash: 95f48fe79b7f0070c44aa0da5875e089468e44ca8ab7114b4da0b454f3a5638f
Instruction Fuzzy Hash: 00016571A042087FD700DFA5D842B5DB7E9DB19714F5141BAF414A3391DB796920851D

Uniqueness

Uniqueness Score: -1.00%

Function 004AA180, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000449,?,?), ref: 004AA1FB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4fd264f1d484155155ceb63f08e336f327c486bf43db2e8587be4178355d6c5d
Instruction ID: b1399a6e0d261bd4a70e698cd2da3fce8c27263347c229cce97fc1cba37eea5c
Opcode Fuzzy Hash: 4fd264f1d484155155ceb63f08e336f327c486bf43db2e8587be4178355d6c5d
Instruction Fuzzy Hash: 6811FA70A01209EFCB40DFA9C98599EBBF4EB09314F1081A6E948E7351E3349E50DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00483BA8, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,00483C98,00000000,00000000,00483C03,?,00000000,00483C88), ref: 00483BEF

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: fb7392466cbc231bf99713cd721b0d6c0a4e0866b451fd281b7cfdffd044abf0
Instruction ID: ec8458e9dfb4f787698b5bcf23f4a014e57f2dad102fc93167037afb8ff12b25
Opcode Fuzzy Hash: fb7392466cbc231bf99713cd721b0d6c0a4e0866b451fd281b7cfdffd044abf0
Instruction Fuzzy Hash: E701A771608704AFD705AF66DC5296EBBACE749F14B62487FF405E2680E63C5A109A28

Uniqueness

Uniqueness Score: -1.00%

Function 00483CD4, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 00483B4C: CLSIDFromProgID.OLE32(00000000,?,00000000,00483B99,?,?,?,00000000), ref: 00483B79

CoCreateInstance.OLE32(?,00000000,00000005,00483DB8,00000000,00000000,00483D37,?,00000000,00483DA9), ref: 00483D23

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: ba6ecd7f472edf1fd0bb13c64dd91bed041a98c7cb3a4e29bba6d946b86c6250
Instruction ID: a2559c499663bd21bc2443302190b1b977d3ddafb6b0e80d9857fe81b56a8987
Opcode Fuzzy Hash: ba6ecd7f472edf1fd0bb13c64dd91bed041a98c7cb3a4e29bba6d946b86c6250
Instruction Fuzzy Hash: 9401D471204604AED705FF65DC129AEBBECE749F00F62487AF900E2680E6385A008668

Uniqueness

Uniqueness Score: -1.00%

Function 0045FFF8, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 00460054

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 82ee3fee61d26e50e49649728977328f34805d21dbc2901f38f8d39a87d19b0d
Instruction ID: 2adc6b513d2d03d358a797f50149a893bdca0ce90b39a6aad1cb033f243510af
Opcode Fuzzy Hash: 82ee3fee61d26e50e49649728977328f34805d21dbc2901f38f8d39a87d19b0d
Instruction Fuzzy Hash: F10181313087428BD3209A29D888B87F7E5EF81359F18866BA49987291DA749C45CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00404D08, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00404D51,?,00506050,00508AEC,00000000,?,00405126,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00404D41

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 82e28484aa4ffdda2716f707cc85c744c11c8d67b6de0af3a45fd8f77fb77c38
Instruction ID: dcf24da99e045fbfb9c0dccf37c60bf87a6854611da0e0255dfddfa7817901cf
Opcode Fuzzy Hash: 82e28484aa4ffdda2716f707cc85c744c11c8d67b6de0af3a45fd8f77fb77c38
Instruction Fuzzy Hash: DEF0E9713057055FD3214F5ABC91D27BB9CEFD8B703560437DA0493A51CA78DC00856C

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF4, Relevance: 1.5, APIs: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,00000000), ref: 00415022

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fb65fbd9a5d22e5868ae5a156bf56d1ae0d68fbf666a4fb3df8e53439fe0124a
Instruction ID: 15d5ac83eed9c3dcd1f8424a3613cd65ef4208e20a25ca006d7fb2729d27d5b8
Opcode Fuzzy Hash: fb65fbd9a5d22e5868ae5a156bf56d1ae0d68fbf666a4fb3df8e53439fe0124a
Instruction Fuzzy Hash: C2E0ED30204604BFD310EA2ACC42CA77FDCDB8EB94382843AB808D3652EA789C1080AC

Uniqueness

Uniqueness Score: -1.00%

Function 0045AF7C, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045AFB7

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c4643b4b68760a8d6199615b02a577f63622df5181be579b687e7404b3f1c16c
Instruction ID: ae7e1c5642afe656c6ce1464cd9707bf1fd320cf40c09bb8fbf1a9685e4a0d09
Opcode Fuzzy Hash: c4643b4b68760a8d6199615b02a577f63622df5181be579b687e7404b3f1c16c
Instruction Fuzzy Hash: 7EF0D4362042019FC704DF5CC8C498ABBE5FF89255F4446A8FA89CB356DA32E858CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004A494C, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,00000000,00000000,?,?), ref: 004A4977

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 8cd70315d7187254e1599707e1ebb882dff13d65b8fa23297fc8c541d9ba8e7d
Instruction ID: d44062532e91153f92044cf75d8a343a9ddeda22a2273d3c524c09aff5e9e453
Opcode Fuzzy Hash: 8cd70315d7187254e1599707e1ebb882dff13d65b8fa23297fc8c541d9ba8e7d
Instruction Fuzzy Hash: 66E04FB37042147F6704DA9EADC1D6BF7ECDA99664310403AFA08E3301D574AD0182B8

Uniqueness

Uniqueness Score: -1.00%

Function 00483B4C, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,00483B99,?,?,?,00000000), ref: 00483B79

Part of subcall function 00405E28: SysFreeString.OLEAUT32(?), ref: 00405E36

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 30dbeb9be400a77f3487798f463af0fe5755e5426937a967af833bdbae9fa8b7
Instruction ID: 603aaa438a93b0809113585eabc7f7f4082cc67df7ab9bf304d5d641b5260c69
Opcode Fuzzy Hash: 30dbeb9be400a77f3487798f463af0fe5755e5426937a967af833bdbae9fa8b7
Instruction Fuzzy Hash: E7E0E571204704BFD301FF62CC12D4E76DCDB89B04B6208B6F400A2242D5396F0085A8

Uniqueness

Uniqueness Score: -1.00%

Function 0048087C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,004AA95E,00000000,004AA9AF,?,004AAB90), ref: 0048089B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: a71dd8b6ecc17ab16b5fd190bbb7372696dbcf7a8d05847f5d675a72fe716238
Instruction ID: aab9e7cd74eeccd42596a0313d2d04cd802c2727da9f391265aa23357043e6e1
Opcode Fuzzy Hash: a71dd8b6ecc17ab16b5fd190bbb7372696dbcf7a8d05847f5d675a72fe716238
Instruction Fuzzy Hash: 7EE0D860B6430225F27431490C53F7F11499FC0B00FA4483676809D7DAD6AD98D993DF

Uniqueness

Uniqueness Score: -1.00%

Function 0047EAF0, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,0047EB36,?,00000000,00000000,?,0047EB86,00000000,004AD259,00000000,004AD27A,?,00000000,00000000), ref: 0047EB19

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 01500d1026585a2ff11322f49bb50a5149f4299f696efe3803ac1df52f52bf88
Instruction ID: 2bb03c8bc3e63462193d8b19a19c0dc88d26945139d61dae7d8f27ec2ae29b2c
Opcode Fuzzy Hash: 01500d1026585a2ff11322f49bb50a5149f4299f696efe3803ac1df52f52bf88
Instruction Fuzzy Hash: 08E09231704344BFD711EB77CC53949B7ECE74C704BA288B6F405E3682E678AE108558

Uniqueness

Uniqueness Score: -1.00%

Function 0045FDFC, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,0045FE49), ref: 0045FE24

Part of subcall function 004135BC: GetLastError.KERNEL32(0040AA79,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7), ref: 004135BC

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: ed97f2732f23317820cc0fa3120b3e2b72728ed258edb4b8ce61a385728d50ed
Instruction ID: 8bc6597d40b90e1f926ddf57c0d32e4619ab0118fdac3a5b753122f2e679815d
Opcode Fuzzy Hash: ed97f2732f23317820cc0fa3120b3e2b72728ed258edb4b8ce61a385728d50ed
Instruction Fuzzy Hash: 10F0A030604304EFD712CF69CA56D1EB7F8EB08B00B6200BAF804D3662E338ED08A619

Uniqueness

Uniqueness Score: -1.00%

Function 004080D0, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 004080EE

Part of subcall function 00408370: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 0040838C
Part of subcall function 00408370: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004083AC
Part of subcall function 00408370: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 004083CA
Part of subcall function 00408370: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 004083E8
Part of subcall function 00408370: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00408406
Part of subcall function 00408370: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004084A4,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 0040844F
Part of subcall function 00408370: RegQueryValueExW.ADVAPI32(?,00408698,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004084A4,?,80000001), ref: 0040846D
Part of subcall function 00408370: RegCloseKey.ADVAPI32(?,004084AB,00000000,?,?,00000000,004084A4,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040849E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 6d7ca68d75fa4230207e8bf5216afb727d6242516d6ec55213392f30d600521f
Instruction ID: 3970bc2d34380e59235853d60ecf92922676daedb8835f9a67ac2a530b45cafe
Opcode Fuzzy Hash: 6d7ca68d75fa4230207e8bf5216afb727d6242516d6ec55213392f30d600521f
Instruction Fuzzy Hash: 02E0C971A003209BCB14DE58C9C5A473794AF08764F0449AAED54DF396D775DD208BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004DE4AA, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?,004DE4FD,?,00000005,00000000,00000000,?,004FCCF4,00000006,?,00000000,004FD285,?,00000000,004FD344), ref: 004DE4F0

Strings

cmd.exe, xrefs: 004DE51B
ProgramFilesDir, xrefs: 004DE355, 004DE3DC
SystemDrive, xrefs: 004DE2F2
CommonFilesDir, xrefs: 004DE38F, 004DE40B
COMMAND.COM, xrefs: 004DE53C
Common Files, xrefs: 004DE3C6
Failed to get path of 64-bit Program Files directory, xrefs: 004DE3FE
Failed to get path of 64-bit Common Files directory, xrefs: 004DE42D
\Program Files, xrefs: 004DE37C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 734271698-544719455
Opcode ID: ea54a8d18c81022eb9635f3034375d7325494039b5c57a161f9dcbda501413ac
Instruction ID: 97166e09749915100436542396b9c5ee60712ed5df2677c63ab29a003dbf545c
Opcode Fuzzy Hash: ea54a8d18c81022eb9635f3034375d7325494039b5c57a161f9dcbda501413ac
Instruction Fuzzy Hash: 45E09275704604AFE7219FA6DD22F1E7BECE749F00BA144A3F900D66C1D678AD109A18

Uniqueness

Uniqueness Score: -1.00%

Function 004AAB10, Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004AAB4D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4fdd9f033404721df2e155fd5605cef61fe1f312c88f640614ddb3b7f7a101af
Instruction ID: 5de1926a2839ddf32ba0c0ef62d3103c8ca3c69ea4801b3e123a2d7eb7fa098d
Opcode Fuzzy Hash: 4fdd9f033404721df2e155fd5605cef61fe1f312c88f640614ddb3b7f7a101af
Instruction Fuzzy Hash: 3BE04FB534426C3ED200AA9DBC51F7A77DC9759719F008013FA94DB282C07A9E14ABF8

Uniqueness

Uniqueness Score: -1.00%

Function 0047FCE8, Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0047FD14

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4d8780b082cb17675e2ccbe2fcd0e9af29cea4848a969c8d517a1122db3e5fe2
Instruction ID: e0324ee88b814fa4232cf693952619af2d285c9fcc3fcc9da0a056ce71b8dee9
Opcode Fuzzy Hash: 4d8780b082cb17675e2ccbe2fcd0e9af29cea4848a969c8d517a1122db3e5fe2
Instruction Fuzzy Hash: 30E05AB260011DAF9B40DE8CDC81EEB77ADAB1D250B408016FE08D7241C274EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AA3D4, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,004AA68F,00000000,004AA6A6), ref: 004AA3FB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 20ca36b0d481d14b6c330b73ae19dd67b1c32df5be4c299efb5b2a65667918c4
Instruction ID: 3799799e066d3f2ec13c98ce16ed396c72fc4fddcbe5bf48d4b6ce8be42bf34d
Opcode Fuzzy Hash: 20ca36b0d481d14b6c330b73ae19dd67b1c32df5be4c299efb5b2a65667918c4
Instruction Fuzzy Hash: C5F014719212048FEF60CF38ADC435A36E7A728705F898A3A9404C3363E3748648EB55

Uniqueness

Uniqueness Score: -1.00%

Function 0047B41C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0047B449

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 25634872d4ce72af03b89055b95a040c859e08475323948650b878a0dc1210d4
Instruction ID: 5cb162f3b9425c3554eccc2811f6088f8d6969fb27f58a237ed41856848cae58
Opcode Fuzzy Hash: 25634872d4ce72af03b89055b95a040c859e08475323948650b878a0dc1210d4
Instruction Fuzzy Hash: 28F0B379205609AFCB40DF99D588D9ABBE8BB4C260B058595B988CB322C234FD818B94

Uniqueness

Uniqueness Score: -1.00%

Function 0045A758, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,004C4A09,0000000C), ref: 0045A76B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c7cf7074a665caa880df6352a8bf1e0f51914274fe53a4cf435d6a591524547b
Instruction ID: 4fed6f1bead1e826d82ef6c1d6d08b942746fe2498122949f57dd92a01f9b926
Opcode Fuzzy Hash: c7cf7074a665caa880df6352a8bf1e0f51914274fe53a4cf435d6a591524547b
Instruction Fuzzy Hash: E2E0BF752002408FEB44CE58C4C5B527BE4AF49215F4480E5EE49CF35BD775DC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0047EB8C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,?,004AD48D,00000000,004AD4A6,?,?,00000000), ref: 0047EB97

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8750f7cfa68780ba347be842ad4ff4f14e4e61d15f9df3363ab5e94146d08921
Instruction ID: 4fe31d96657a96b0e8911360c08abaaf96be1d53b27b709f312f991304ad03d3
Opcode Fuzzy Hash: 8750f7cfa68780ba347be842ad4ff4f14e4e61d15f9df3363ab5e94146d08921
Instruction Fuzzy Hash: F6D012F122120055DE3491BF0CC539606C84B59328B249BA7B56EE13E3D23DA852702C

Uniqueness

Uniqueness Score: -1.00%

Function 00481434, Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00481450

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: d1f572c8df8d45808f434a8084c194e2c96dbff8bf9edfc5a4f2fe1318614efb
Instruction ID: 0016984d6659a185f013249d18ee087c054b1a6ff239e6549a9d0a57eb8f3b16
Opcode Fuzzy Hash: d1f572c8df8d45808f434a8084c194e2c96dbff8bf9edfc5a4f2fe1318614efb
Instruction Fuzzy Hash: 60D0A77110010D6FCB00DD98D840CAF33ACAB88B10B10CC06F919C7212C634FC5187B5

Uniqueness

Uniqueness Score: -1.00%

Function 0047EB44, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,?,004ABD07,00000000,?), ref: 0047EB4F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 975f53d88cea3fe7f0012b4993e8238b103f4f20d6890ad68db02f2c4c1cf399
Instruction ID: 51270bde0d8cc8ec99cae62ce868433d80924152b8d70de0c8c870994d55acf5
Opcode Fuzzy Hash: 975f53d88cea3fe7f0012b4993e8238b103f4f20d6890ad68db02f2c4c1cf399
Instruction Fuzzy Hash: 59C08CE16112001A9E10E2FF0CC648B02C8094933C3644FB7F03EE23E3E23DA822211C

Uniqueness

Uniqueness Score: -1.00%

Function 004AAC74, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,004B8267,00000000,004B83F9,?,00000000,00000002,00000002), ref: 004AAC7B

Part of subcall function 004AA9EC: GetLastError.KERNEL32(004AA780,004AAAB7,?,004FDBB4,00000001,00000000,00000002,00000000,004FDD55,?,?,00000005,00000000,004FDD8E), ref: 004AA9EF

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 351eeb30cd41957f7cb464669e35ada0d1404ca6a40d9ddf30320966c7c1cfb8
Instruction ID: 242d799680f052610c1cb83d63b003a7645a65ebb046a71bb5bfcc4518069ac9
Opcode Fuzzy Hash: 351eeb30cd41957f7cb464669e35ada0d1404ca6a40d9ddf30320966c7c1cfb8
Instruction Fuzzy Hash: 8AC09BE131020187DF11EABEC5C1A0763DC6F1D3143444466F549CF217D768DC10C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD04, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(00000000,?,004FDB42,00000000,004FDD55,?,?,00000005,00000000,004FDD8E,?,?,00000000,?), ref: 0040DD0F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 5e2741f406a566ac20dd53898cd79c442441464cd05229c01c6d26d87152863f
Instruction ID: 760e6ac4e30c85a6c7c9acfda4d72fc248caca873c4b92e09980cd14d23c5683
Opcode Fuzzy Hash: 5e2741f406a566ac20dd53898cd79c442441464cd05229c01c6d26d87152863f
Instruction Fuzzy Hash: C7B012E3F302401ACB007AFE0CC180D00CC951860E7110C3FB006E31D3D43EC8140118

Uniqueness

Uniqueness Score: -1.00%

Function 004DEED0, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,004FDE18,00000000,004FDE27,?,?,?,?,?,004FE903), ref: 004DEEE6

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5685af9a52c58fb786b4b116cdba0501c21fc4398947b8dbfd9a927be0ce85a1
Instruction ID: 28ea42c322a716706993fcd1f6882b91b1f43e75a6720400b664436bda87e8f8
Opcode Fuzzy Hash: 5685af9a52c58fb786b4b116cdba0501c21fc4398947b8dbfd9a927be0ce85a1
Instruction Fuzzy Hash: 56C002B15502109EC741EF7AEC2A7093AE4A36F345F084A2BA445C62A2E73C8549EF84

Uniqueness

Uniqueness Score: -1.00%

Function 00413C93, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00413CB1), ref: 00413CA4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: eeba46ead78c4002b6544dba429ce3210dc5ca815f22ff1587fdc3b0db739480
Instruction ID: f74c009880f30dea3a51c2799878f4aff0dcab6ab98bfa8724762755745ba8a3
Opcode Fuzzy Hash: eeba46ead78c4002b6544dba429ce3210dc5ca815f22ff1587fdc3b0db739480
Instruction Fuzzy Hash: 42B09B77A1C2005DE7099F95A41145873E4D7C47103A144B7F400D36C5E53C5904465C

Uniqueness

Uniqueness Score: -1.00%

Function 004B8E48, Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0047E6BC: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,00000000,00000000,004AE62F,00000000,004AE916,?,?,00000000,0050B17C), ref: 0047E6ED

SetLastError.KERNEL32(00000000,00000000,?,?,00000000,004B8EE7), ref: 004B8EC0

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorFullLastNamePath
String ID:
API String ID: 2157422313-0
Opcode ID: 316ed87a75032c9a6516b8a7080a4f448a777757926e1e33c125a0b476189e5d
Instruction ID: a5d21a233ddec4cc38f0b3a67cb76219b9c6552fe310692528cad28a0c757e48
Opcode Fuzzy Hash: 316ed87a75032c9a6516b8a7080a4f448a777757926e1e33c125a0b476189e5d
Instruction Fuzzy Hash: 1E117330710208AFDB00DFA9CD829EE77ACDB49314F60457EB905E3382DA78DE01D668

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD08, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,0050BC38,00000000,00000000,?,0042BE6B,00000000,00000B06,00000000,00400000,00000000,00000000,00000000), ref: 0042BD26

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b1b39261860be757938f1e3b03389e4a1231d0f724abb6382cc17b64e77e588a
Instruction ID: 6b31fb2f33bbe4fe12c45ac344cf3817c842f0af1773a987dad5548b9ca9cf69
Opcode Fuzzy Hash: b1b39261860be757938f1e3b03389e4a1231d0f724abb6382cc17b64e77e588a
Instruction Fuzzy Hash: 2D114C343403199FC710DF19D881B86BBE5FF58350F50C53AE9988B385D374E9058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004AD804, Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004AD870), ref: 004AD852

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ead1f182d4bc557158a8d7a75a1c7f5afcaf6fb7894ed86ff90b817f4fdf3820
Instruction ID: dc377ecba4bc59826d84f5731e4709c3e0bd63d95e98ea8b0dad1aa82d21acd3
Opcode Fuzzy Hash: ead1f182d4bc557158a8d7a75a1c7f5afcaf6fb7894ed86ff90b817f4fdf3820
Instruction Fuzzy Hash: 7B01FC71A042086F8711DB6A9C514BEBBE8DB5A320750427BF424D3681DA3C9E1096A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00434448, Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000054,?,00000000,?,00000000,?,00434C12,00000000,?,00000000,00434CC3,?,?,?,00000000), ref: 004344C8
GetDC.USER32(00000000), ref: 004344D9
CreateCompatibleDC.GDI32(00000000), ref: 004344EA
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00434536
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043455A
SelectObject.GDI32(?,?), ref: 004347B7
SelectPalette.GDI32(?,00000000,00000000), ref: 004347F7
RealizePalette.GDI32(?), ref: 00434803
SetTextColor.GDI32(?,00000000), ref: 0043486C
SetBkColor.GDI32(?,00000000), ref: 00434886
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,?,00434A14,00434A14,?,00000000,00000000,00434A14), ref: 004348CE
FillRect.USER32 ref: 00434854

Part of subcall function 004306C0: GetSysColor.USER32(00432508), ref: 004306CA

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 004348F0
CreateCompatibleDC.GDI32(00000000), ref: 00434903
SelectObject.GDI32(00434D0B,00000000), ref: 00434926
SelectPalette.GDI32(00434D0B,00000000,00000000), ref: 00434942
RealizePalette.GDI32(00434D0B), ref: 0043494D
SetTextColor.GDI32(00434D0B,00000000), ref: 0043496B
SetBkColor.GDI32(00434D0B,00000000), ref: 00434985
BitBlt.GDI32(?,00000000,00000000,?,?,00434D0B,00000000,00000000,00CC0020), ref: 004349AD
SelectPalette.GDI32(00434D0B,00000000,000000FF), ref: 004349BF
SelectObject.GDI32(00434D0B,00000000), ref: 004349C9
DeleteDC.GDI32(00434D0B), ref: 004349E4

Part of subcall function 0043170C: CreateBrushIndirect.GDI32(?), ref: 004317B7

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: a547df16d9d45c743b2e04442f89ff0603482c87bfc6ba3c0a06317c7910bba4
Instruction ID: f1df2df15a4d58b172ea2e73916dc75ef4af8a8e80b15d768e357f7c63fd91c8
Opcode Fuzzy Hash: a547df16d9d45c743b2e04442f89ff0603482c87bfc6ba3c0a06317c7910bba4
Instruction Fuzzy Hash: E812BB75A00208AFDB10EFA9C885F9E77B8EB4C314F159556F914EB2A2C778ED40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004B3678, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004B36E0
QueryPerformanceCounter.KERNEL32(00000000,00000000,004B3973,?,?,00000000,00000000,?,004B4372,?,00000000,00000000), ref: 004B36E9
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004B36F3
GetCurrentProcessId.KERNEL32(?,00000000,00000000,004B3973,?,?,00000000,00000000,?,004B4372,?,00000000,00000000), ref: 004B36FC
CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004B3772
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004B3780
CreateFileW.KERNEL32(00000000,C0000000,00000000,0050437C,00000003,00000000,00000000,00000000,004B392F,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 004B37C8
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,004B391E,?,00000000,C0000000,00000000,0050437C,00000003,00000000,00000000,00000000,004B392F), ref: 004B3801

Part of subcall function 0047F740: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047F753

CreateProcessW.KERNEL32 ref: 004B38AA
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 004B38E0
CloseHandle.KERNEL32(000000FF,004B3925,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004B3918

Part of subcall function 004ADC34: GetLastError.KERNEL32(00000000,004AE8EE,00000005,00000000,004AE916,?,?,00000000,0050B17C,00000000,00000000,00000000,?,004FE26B,00000000,004FE286), ref: 004ADC37

Strings

\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 004B3748
i, xrefs: 004B385D
Cannot utilize 64-bit features on this version of Windows, xrefs: 004B36C1
helper %d 0x%x, xrefs: 004B3889
CreateNamedPipe, xrefs: 004B3790
64-bit helper EXE wasn't extracted, xrefs: 004B36D4
SetNamedPipeHandleState, xrefs: 004B380A
CreateProcess, xrefs: 004B38B3
D, xrefs: 004B3823
CreateFile, xrefs: 004B37D6
Helper process PID: %u, xrefs: 004B38FD
Starting 64-bit helper process., xrefs: 004B36AD

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: bf479e882dcec88aae4124b5952a47c3e81f9bcdb258fe98f1bb88e5ac7c7e1a
Instruction ID: 4523f16373a1801ff61ab6447ecace3fdf2c938ec97d1fc0311325a4270de625
Opcode Fuzzy Hash: bf479e882dcec88aae4124b5952a47c3e81f9bcdb258fe98f1bb88e5ac7c7e1a
Instruction Fuzzy Hash: F5713470E04358AEDB20DF6ACC41BDEB7F4AB05304F5045AAF518FB282D7789A448B69

Uniqueness

Uniqueness Score: -1.00%

Function 00408174, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0040B314,?,00000000), ref: 00408191
GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 004081A8
lstrcpynW.KERNEL32(?,?,?), ref: 004081D8
lstrcpynW.KERNEL32(?,?,?,kernel32.dll,0040B314,?,00000000), ref: 00408247
lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,0040B314,?,00000000), ref: 0040828F
FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314,?,00000000), ref: 004082A2
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314,?,00000000), ref: 004082B8
lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314,?,00000000), ref: 004082C4
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314,?), ref: 00408300
lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0040B314), ref: 0040830C
lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 0040832F

Strings

GetLongPathNameW, xrefs: 0040819F
kernel32.dll, xrefs: 0040818C
\, xrefs: 004082D6

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 3245196872-3908791685
Opcode ID: d23ac2dccd6c5904ed4ebb122041d1f5d384be88246b7f3bb0063985ae1c4c9b
Instruction ID: 250bcaa9846f6036ca752eb7000dfcf737f83f99ccb7def8f15fd4b0e8f234fa
Opcode Fuzzy Hash: d23ac2dccd6c5904ed4ebb122041d1f5d384be88246b7f3bb0063985ae1c4c9b
Instruction Fuzzy Hash: A3519472E005189BDB10EBE4CD85ADE73BCAF44310F1445BEA944F7290EB789E41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004D8F68, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 004D8D84: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DB0
Part of subcall function 004D8D84: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DC9
Part of subcall function 004D8D84: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DF3
Part of subcall function 004D8D84: CloseHandle.KERNEL32(00000000), ref: 004D8E11

Part of subcall function 004D8E94: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,004D8F27,?,?,00000000,?,004D8F9F,00000000,004D90B7,?,?,?), ref: 004D8EC3

ShellExecuteExW.SHELL32(0000003C), ref: 004D8FEF
GetLastError.KERNEL32(00000000,004D90B7,?,?,?), ref: 004D8FF8
MsgWaitForMultipleObjects.USER32 ref: 004D9045
GetExitCodeProcess.KERNEL32 ref: 004D906B
CloseHandle.KERNEL32(00000000,004D909C,00000000,00000000,000000FF,000000FF,00000000,004D9095,?,00000000,004D90B7,?,?,?), ref: 004D908F

Strings

MsgWaitForMultipleObjects, xrefs: 004D9054
GetExitCodeProcess, xrefs: 004D9074
runas, xrefs: 004D8FBC
<, xrefs: 004D8FAE
ShellExecuteEx, xrefs: 004D9009
ShellExecuteEx returned hProcess=0, xrefs: 004D9019

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 254331816-221126205
Opcode ID: 359b6925c884a4c6965e96e14a4f95173608c72942931127f389d05d3d9d106e
Instruction ID: 0ceec1fc157af90cc67455280caa66068deec0621c71cd14981735221fdfa72d
Opcode Fuzzy Hash: 359b6925c884a4c6965e96e14a4f95173608c72942931127f389d05d3d9d106e
Instruction Fuzzy Hash: CA318270E04219AADF11EFA6D861A9EB6B8EB09318F50443FF514E6381DB7C8D00CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00463DC8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00463DD7
GetWindowPlacement.USER32(?,?,?), ref: 00463DF4
GetWindowRect.USER32 ref: 00463E13
GetWindowLongW.USER32(?,000000F0), ref: 00463E21
GetWindowLongW.USER32(?,000000F8), ref: 00463E3A
GetWindowLongW.USER32(00000000,000000EC), ref: 00463E48
ScreenToClient.USER32 ref: 00463E78
ScreenToClient.USER32 ref: 00463E9D

Strings

,, xrefs: 00463DE0

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Long$ClientScreen$IconicPlacementRect
String ID: ,
API String ID: 1823113212-3772416878
Opcode ID: 8983a41e395eff9be867d15e07cfca118a0a71065231dc7b6c60802d8e05fcaf
Instruction ID: 05e43850699bf277c6aaae6e1dead8c2775ca02f66f54e5439e6b7206f2dc4be
Opcode Fuzzy Hash: 8983a41e395eff9be867d15e07cfca118a0a71065231dc7b6c60802d8e05fcaf
Instruction Fuzzy Hash: 9031C471509341AFC740DF6DC584A4FBBE4AF88354F10892EB998D7392E335DD448BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004FDF38, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004FE07B,?,00000000,0050B17C,?,004FE232,00000000,004FE286,?,00000000,00000000,00000000), ref: 004FDF89
SetFileAttributesW.KERNEL32(00000000,00000010), ref: 004FE00C
DeleteFileW.KERNEL32(00000000), ref: 004FE01A
FindNextFileW.KERNEL32(000000FF,?,00000000,004FE04E,?,00000000,?,00000000,004FE07B,?,00000000,0050B17C,?,004FE232,00000000,004FE286), ref: 004FE02A
FindClose.KERNEL32(000000FF,004FE055,004FE04E,?,00000000,?,00000000,004FE07B,?,00000000,0050B17C,?,004FE232,00000000,004FE286), ref: 004FE048

Strings

isRS-, xrefs: 004FDFA9
isRS-???.tmp, xrefs: 004FDF71

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: File$Find$AttributesCloseDeleteFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 1425421994-3422211394
Opcode ID: 0b95288292faa84bae1fb2b04fe06f2f351e1859d78ba2f69f57631cd27ba99d
Instruction ID: cb4ba5ba77a75789e263aba167a119555d3d55a2da80293cad247d0a0f68a6fd
Opcode Fuzzy Hash: 0b95288292faa84bae1fb2b04fe06f2f351e1859d78ba2f69f57631cd27ba99d
Instruction Fuzzy Hash: 7531987090466CAFCB10DF66CC45A9EB7F9EB84304F5144FBA905B3291EA7C9E408A18

Uniqueness

Uniqueness Score: -1.00%

Function 004B00AC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004B00BC
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004B00C2
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004B00DB
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004B0102
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004B0107
ExitWindowsEx.USER32(00000002,00000000), ref: 004B0118

Strings

SeShutdownPrivilege, xrefs: 004B00D4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: ef9d41a7b5daaa718b69dd9ca2d444d7aee655285940df61ceddb449c0489ae7
Instruction ID: 2d82122e82644b5eda749e0f008ebc2aa4b636d5a7613be086f7d44d70cf5359
Opcode Fuzzy Hash: ef9d41a7b5daaa718b69dd9ca2d444d7aee655285940df61ceddb449c0489ae7
Instruction Fuzzy Hash: EEF0C8306453017AE614AA758C07FAF72C8AB44B05F50082AB640E61C3D7BED904863F

Uniqueness

Uniqueness Score: -1.00%

Function 004535D0, Relevance: 10.9, APIs: 7, Instructions: 415COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 004538A0
RestoreDC.GDI32(?,?), ref: 00453914
GetWindowDC.USER32(?,00000000,00453B22), ref: 0045398E
SaveDC.GDI32(?), ref: 004539C5
RestoreDC.GDI32(?,?), ref: 00453A50
DefWindowProcW.USER32(?,?,?,?,00000000,00453B22), ref: 00453B04

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: RestoreSaveWindow$Proc
String ID:
API String ID: 1975259465-0
Opcode ID: ffdfa24ff94f153435562c9498c741f9aafaaf97d3fba6ae97b153746faf413b
Instruction ID: d6493b0fb8e4189062a47f2859b5ea4923f5df73382423731f32b30757d7e471
Opcode Fuzzy Hash: ffdfa24ff94f153435562c9498c741f9aafaaf97d3fba6ae97b153746faf413b
Instruction Fuzzy Hash: 4DF16E74A00209AFCB10DFA9C48199EF7F5FF48346B25816AE844A7362D778EE45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00481238, Relevance: 9.1, APIs: 6, Instructions: 90windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00481265
GetWindowLongW.USER32(?,000000F0), ref: 0048127E
GetWindowLongW.USER32(?,000000EC), ref: 0048129A
GetActiveWindow.USER32 ref: 004812A3
MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 004812D0
SetActiveWindow.USER32(?,0048134C,00000000,?), ref: 004812F1

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 159527b6e538fb0acb14474d8a9e5e9b721a44919c31f36a84b5d685237afa60
Instruction ID: 912c38e0a71ac18bf281b613dd81c7be8c9f18af2e7e4ce1aaaee03cd0e7779b
Opcode Fuzzy Hash: 159527b6e538fb0acb14474d8a9e5e9b721a44919c31f36a84b5d685237afa60
Instruction Fuzzy Hash: BC31B170A04700AFD711EBA9C885A9E77ECFB4D314F1148AAF804E33A1D638AD00DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0046335C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0046339B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004633B9
GetWindowPlacement.USER32(?,0000002C), ref: 004633EF
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00463413

Strings

,, xrefs: 004633DD

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 70142e43902542f6b181c0d475d1259aff037c5e475c9efdb15c090ca1694d0e
Instruction ID: 175857a8f66be85dff5b254cde1ebf989d36374ce012c1fc9b2fffc776e7af13
Opcode Fuzzy Hash: 70142e43902542f6b181c0d475d1259aff037c5e475c9efdb15c090ca1694d0e
Instruction Fuzzy Hash: E7214F71A00244ABCF54EF6DC8C499E77A8AF09315F00846AFD18EF346E779ED448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042DBCC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(77400000,00000000), ref: 0042DA08

MonitorFromWindow.USER32(?,?), ref: 0042DBFC

Strings

MonitorFromWindow, xrefs: 0042DBE3

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressFromMonitorProcWindow
String ID: MonitorFromWindow
API String ID: 2184870004-2842599566
Opcode ID: a339373b2ea78f162fc64ceb30bb40eeff9566ac8625277b9692d286750af45a
Instruction ID: 09b7f80d8916beb450250fae5da5f9838b842c5b57be028bf6a572ef599346e3
Opcode Fuzzy Hash: a339373b2ea78f162fc64ceb30bb40eeff9566ac8625277b9692d286750af45a
Instruction Fuzzy Hash: 8701AD72A041286ACB10EB52EC85ABFB35CDB04304B800027F810A7282DBBC9D09D3AA

Uniqueness

Uniqueness Score: -1.00%

Function 004808CC, Relevance: 7.5, APIs: 5, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004AD778,00000000,004AD799), ref: 004808EE
DeviceIoControl.KERNEL32 ref: 00480918
GetLastError.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000), ref: 00480925
CloseHandle.KERNEL32(00000000,00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000), ref: 0048092D
SetLastError.KERNEL32(00000000,00000000,00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000), ref: 00480933

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: eba49109ab4412aa03c078146b95e6a817892ca5320b90857e4067fed9350521
Instruction ID: 757201d374c544a68746b83c475efb3820bba70b78ff77d633849ce88f686b7b
Opcode Fuzzy Hash: eba49109ab4412aa03c078146b95e6a817892ca5320b90857e4067fed9350521
Instruction Fuzzy Hash: 43F06DB279422039F121626A1C82FBF118C9B85BA8F51453AF604FB1D2D5A99D0A526D

Uniqueness

Uniqueness Score: -1.00%

Function 004A1A3C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,004A1C86,?,?,?,?,00000000,00000000), ref: 004A1BB3
LoadLibraryW.KERNEL32(00000000,?,?,?,00000000,004A1C86,?,?,?,?,00000000,00000000), ref: 004A1BC5
GetProcAddress.KERNEL32(00000000,00000000), ref: 004A1C35

Strings

<utf8>, xrefs: 004A1B66

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: <utf8>
API String ID: 1469910268-2377197763
Opcode ID: b781309f96ba1e4422e9ef4e93870b08a44e3f56c274b0227328c2f5e2670bd2
Instruction ID: 6d6b1b89222b3d5005054f689de362d71fe02d1583d406a5c703ad6b3b819fe0
Opcode Fuzzy Hash: b781309f96ba1e4422e9ef4e93870b08a44e3f56c274b0227328c2f5e2670bd2
Instruction Fuzzy Hash: C4616B70A001099FDB00EBA5C485B9FB7F5EF59318F54817AE404AB3A6DA78AE418B58

Uniqueness

Uniqueness Score: -1.00%

Function 004328A4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00432940,?,00000000,?,00432958,00000000,00434B6B,00000000,00000000,00434D0B,?,00000000,00000054,?,00000000), ref: 004328C4
FormatMessageW.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00432940,?,00000000,?,00432958,00000000,00434B6B,00000000), ref: 004328EA

Strings

8B, xrefs: 00432911

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: 8B
API String ID: 3479602957-4165284811
Opcode ID: 4ddcc54a873ce69e8cbf2d276487b3da5aa6a42e19176dcf8c7ddf40a7503cdc
Instruction ID: 287b00f6fbc44408d1deb48b84d0f04d1ce37634cb89fa4247d01634c909129f
Opcode Fuzzy Hash: 4ddcc54a873ce69e8cbf2d276487b3da5aa6a42e19176dcf8c7ddf40a7503cdc
Instruction Fuzzy Hash: 9001ACB07047095AE721FB618D52BDA72ACDF0C704F9140BBB604A62D2DAB8AD41891C

Uniqueness

Uniqueness Score: -1.00%

Function 0047A500, Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047A50C
GetCursorPos.USER32(?,00000000,00000064), ref: 0047A529
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0047A549

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: c3825cbfbb0fce71f61fa2a5937f100f6191f94a8ccc55f7865f3cb6f4fafa16
Instruction ID: b085e44beee730e3645b7972984611c6b32b386b080458ef1046c60807020b85
Opcode Fuzzy Hash: c3825cbfbb0fce71f61fa2a5937f100f6191f94a8ccc55f7865f3cb6f4fafa16
Instruction Fuzzy Hash: 5BF0B431544304AAEB14A766D886BDE33E8FB45314F504027E504972D2D77C9C50CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004629EC, Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00462A24
GetCapture.USER32 ref: 00462A2D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 201650b5fbd0e2d90c744b81722c7441c4f55fc64f4f176e00ec4b6230af2621
Instruction ID: 5ad91f7f634b7bc75800b6c2637611c91fc1552889c671418f97189261b6e815
Opcode Fuzzy Hash: 201650b5fbd0e2d90c744b81722c7441c4f55fc64f4f176e00ec4b6230af2621
Instruction Fuzzy Hash: 05115E32B10605ABDB30DB99CA85D6A73E4EF04308B24407AE404DB752E7BCEE449759

Uniqueness

Uniqueness Score: -1.00%

Function 00480E38, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 00480E45
SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 00480E55

Part of subcall function 00409458: CreateMutexW.KERNEL32(?,00000001,00000000,?,004FE333,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668,?,?,00000000,?), ref: 0040946E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: ec6f704e82f184868277b8f2a7b4cd1560981572a3d01120b1391ccfa740d282
Instruction ID: bfdd17de1d08f15f1eb1e8bd115aa5957c8100b125f9989b3268e9b648247d5b
Opcode Fuzzy Hash: ec6f704e82f184868277b8f2a7b4cd1560981572a3d01120b1391ccfa740d282
Instruction Fuzzy Hash: 18E0E5B1A443006FD700DFB58C42F5A76DC9B84714F11493EB564E62C2E679D90987AA

Uniqueness

Uniqueness Score: -1.00%

Function 004B2868, Relevance: 3.0, APIs: 2, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0050B17C), ref: 004B2875
FileTimeToSystemTime.KERNEL32(00000000,000000EC,00000000,0050B17C), ref: 004B288C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 8df3344a1913a510bd2bcbf171e22cdea64415c61be7cbee4416e66eadbfa6e2
Instruction ID: 9f6a24f4defc00cb3f60560b239b7d9862f6860e6d10b1eeb03a0992580cee41
Opcode Fuzzy Hash: 8df3344a1913a510bd2bcbf171e22cdea64415c61be7cbee4416e66eadbfa6e2
Instruction Fuzzy Hash: 5BD09BB251820C6ADF04B6E59CC68CF77DCA604224B500677A514A21D2FF75AB45465D

Uniqueness

Uniqueness Score: -1.00%

Function 00470A2C, Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00470A48

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: f76e5970be86353728f5777092b2c2d2ddc29d7ef8c624a474a584325eb60d3a
Instruction ID: 43d3b676a681cc8dd192a57e008d754785de3d61f70c2e5714767b9bbbcc4d3d
Opcode Fuzzy Hash: f76e5970be86353728f5777092b2c2d2ddc29d7ef8c624a474a584325eb60d3a
Instruction Fuzzy Hash: 78C01270510140CBDB01D738C4D0E893375B765305FE08696E00887452C338DC49D694

Uniqueness

Uniqueness Score: -1.00%

Function 00438998, Relevance: 86.0, APIs: 1, Strings: 48, Instructions: 268libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(uxtheme.dll,00000000,00438D4A), ref: 004389CD

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

DrawThemeParentBackground, xrefs: 00438D07
GetThemeSysFont, xrefs: 00438C2F
GetThemeTextMetrics, xrefs: 00438A6D
GetThemeFont, xrefs: 00438B69
GetThemeColor, xrefs: 00438AEB
GetThemeRect, xrefs: 00438B7B
GetWindowTheme, xrefs: 00438C89
HitTestThemeBackground, xrefs: 00438A91
GetCurrentThemeName, xrefs: 00438CE3
GetThemeBackgroundContentRect, xrefs: 00438A25
GetThemeFilename, xrefs: 00438BD5
GetThemeMargins, xrefs: 00438B8D
GetThemeBackgroundRegion, xrefs: 00438A7F
SetWindowTheme, xrefs: 00438BC3
GetThemeInt, xrefs: 00438B33
IsThemeBackgroundPartiallyTransparent, xrefs: 00438AD9
DrawThemeIcon, xrefs: 00438AB5
GetThemePosition, xrefs: 00438B57
GetThemeSysString, xrefs: 00438C41
CloseThemeData, xrefs: 004389EF
GetThemeDocumentationProperty, xrefs: 00438CF5
IsThemePartDefined, xrefs: 00438AC7
DrawThemeText, xrefs: 00438A13
GetThemeSysColor, xrefs: 00438BE7
IsThemeDialogTextureEnabled, xrefs: 00438CAD
GetThemePropertyOrigin, xrefs: 00438BB1
GetThemeSysSize, xrefs: 00438C1D
DrawThemeBackground, xrefs: 00438A01
GetThemeSysInt, xrefs: 00438C53
GetThemeString, xrefs: 00438B0F
DrawThemeEdge, xrefs: 00438AA3
GetThemeBackgroundExtent, xrefs: 00438A37
GetThemeAppProperties, xrefs: 00438CBF
uxtheme.dll, xrefs: 004389C8
GetThemeBool, xrefs: 00438B21
IsAppThemed, xrefs: 00438C77
GetThemeEnumValue, xrefs: 00438B45
GetThemeSysColorBrush, xrefs: 00438BF9
GetThemeIntList, xrefs: 00438B9F
IsThemeActive, xrefs: 00438C65
OpenThemeData, xrefs: 004389DD
GetThemeTextExtent, xrefs: 00438A5B
EnableTheming, xrefs: 00438D19
GetThemePartSize, xrefs: 00438A49
SetThemeAppProperties, xrefs: 00438CD1
EnableThemeDialogTexture, xrefs: 00438C9B
GetThemeMetric, xrefs: 00438AFD
GetThemeSysBool, xrefs: 00438C0B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundExtent$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-1748089680
Opcode ID: dbed06f7595b1716ce2198f80e2773941165f955f4590fce6a33d3f90667ae1c
Instruction ID: 03dfae092b75d818a524d512a0b8bfda9bd8a64c44f972164b7d9b039d1d0e58
Opcode Fuzzy Hash: dbed06f7595b1716ce2198f80e2773941165f955f4590fce6a33d3f90667ae1c
Instruction Fuzzy Hash: 30A1A5B4A40B11AFDB04EFB5EC86E2A37A8EB19704B10197BB400DF296D77D9C04DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004A4EC4, Relevance: 84.3, APIs: 1, Strings: 47, Instructions: 280libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A4E40: GetVersionExW.KERNEL32(00000114), ref: 004A4E5D

Part of subcall function 004A4E94: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004A4EAC

LoadLibraryW.KERNEL32(00000000,00000000,004A52A5,?,?,00000000,00000000), ref: 004A4F24

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

GetThemeTextExtent, xrefs: 004A4FB2
GetThemeFont, xrefs: 004A50C0
DrawThemeText, xrefs: 004A4F6A
uxtheme.dll, xrefs: 004A4F11
SetWindowTheme, xrefs: 004A511A
GetThemeColor, xrefs: 004A5042
GetThemeSysColor, xrefs: 004A513E
GetThemeSysFont, xrefs: 004A5186
GetThemeSysBool, xrefs: 004A5162
GetThemeSysColorBrush, xrefs: 004A5150
IsAppThemed, xrefs: 004A51CE
CloseThemeData, xrefs: 004A4F46
GetThemeMargins, xrefs: 004A50E4
GetThemeIntList, xrefs: 004A50F6
OpenThemeData, xrefs: 004A4F34
HitTestThemeBackground, xrefs: 004A4FE8
GetThemeInt, xrefs: 004A508A
DrawThemeParentBackground, xrefs: 004A525E
GetThemeBackgroundContentRect, xrefs: 004A4F7C, 004A4F8E
GetThemeFilename, xrefs: 004A512C
DrawThemeBackground, xrefs: 004A4F58
IsThemeDialogTextureEnabled, xrefs: 004A5204
GetThemeSysSize, xrefs: 004A5174
IsThemePartDefined, xrefs: 004A501E
GetThemeDocumentationProperty, xrefs: 004A524C
DrawThemeEdge, xrefs: 004A4FFA
GetThemeTextMetrics, xrefs: 004A4FC4
GetThemeString, xrefs: 004A5066
DrawThemeIcon, xrefs: 004A500C
GetThemeRect, xrefs: 004A50D2
GetThemePartSize, xrefs: 004A4FA0
GetThemeBool, xrefs: 004A5078
GetCurrentThemeName, xrefs: 004A523A
GetThemeSysInt, xrefs: 004A51AA
GetThemeMetric, xrefs: 004A5054
EnableThemeDialogTexture, xrefs: 004A51F2
GetThemeSysString, xrefs: 004A5198
GetThemeBackgroundRegion, xrefs: 004A4FD6
IsThemeBackgroundPartiallyTransparent, xrefs: 004A5030
IsThemeActive, xrefs: 004A51BC
GetThemeAppProperties, xrefs: 004A5216
GetThemePropertyOrigin, xrefs: 004A5108
SetThemeAppProperties, xrefs: 004A5228
GetThemeEnumValue, xrefs: 004A509C
GetThemePosition, xrefs: 004A50AE
GetWindowTheme, xrefs: 004A51E0
EnableTheming, xrefs: 004A5270

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2754715182-2910565190
Opcode ID: 5a041caab29879ae59585b4871f3275c17d9cd7a66e2c4b0d18ed676b53e93cb
Instruction ID: 34710f8a37b5754a7619989322830bb577352d0a303a5992ba6e25e5a2d351dc
Opcode Fuzzy Hash: 5a041caab29879ae59585b4871f3275c17d9cd7a66e2c4b0d18ed676b53e93cb
Instruction Fuzzy Hash: C1A11474D40B11AFEB00EFA5D9C6A1E37A8EB26704B50197AB400DF296D77C9C04DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415600, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 00415609

Part of subcall function 004155D4: GetProcAddress.KERNEL32(00000000), ref: 004155ED

Strings

VarCyFromStr, xrefs: 0041578D
VariantChangeTypeEx, xrefs: 00415617
VarNeg, xrefs: 0041562D
VarSub, xrefs: 0041566F
VarOr, xrefs: 004156F3
VarBoolFromStr, xrefs: 004157A3
VarI4FromStr, xrefs: 00415735
VarNot, xrefs: 00415643
VarMul, xrefs: 00415685
VarBstrFromBool, xrefs: 004157E5
VarIdiv, xrefs: 004156B1
VarDateFromStr, xrefs: 00415777
VarDiv, xrefs: 0041569B
VarMod, xrefs: 004156C7
VarAnd, xrefs: 004156DD
VarAdd, xrefs: 00415659
VarBstrFromCy, xrefs: 004157B9
oleaut32.dll, xrefs: 00415604
VarBstrFromDate, xrefs: 004157CF
VarXor, xrefs: 00415709
VarCmp, xrefs: 0041571F
VarR4FromStr, xrefs: 0041574B
VarR8FromStr, xrefs: 00415761

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: c70b7c8f3169a0024ad30cd2093238351d8f1b20c2dd28c5e1991e145273c34b
Instruction ID: 3f2c7d9c9272da408490c1f522796469700d87a1b7b73b98281ca9341e987c2f
Opcode Fuzzy Hash: c70b7c8f3169a0024ad30cd2093238351d8f1b20c2dd28c5e1991e145273c34b
Instruction Fuzzy Hash: 5E41FE72618B04FB93047B6EA8015DA7BDAD6C07143B4C02BB4048FA59DF7CA9D19B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00432AFC, Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00432B3F
SelectObject.GDI32(?,?), ref: 00432B54
MaskBlt.GDI32(?,?,?,?,?,?,00000000,00431C22,?,?,?,CCAA0029,00000000,00432BC4,?,?), ref: 00432B98
SelectObject.GDI32(?,?), ref: 00432BB2
DeleteObject.GDI32(?), ref: 00432BBE
CreateCompatibleDC.GDI32(00000000), ref: 00432BD2
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00432BF3
SelectObject.GDI32(?,?), ref: 00432C08
SelectPalette.GDI32(?,4B080B07,00000000), ref: 00432C1C
SelectPalette.GDI32(?,?,00000000), ref: 00432C2E
SelectPalette.GDI32(?,00000000,000000FF), ref: 00432C43
SelectPalette.GDI32(?,4B080B07,000000FF), ref: 00432C59
RealizePalette.GDI32(?), ref: 00432C65
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00432C87
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00431C22,?,?,00440328), ref: 00432CA9
SetTextColor.GDI32(?,00000000), ref: 00432CB1
SetBkColor.GDI32(?,00FFFFFF), ref: 00432CBF
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00432CEB
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00432D10
SetTextColor.GDI32(?,00431C22), ref: 00432D1A
SetBkColor.GDI32(?,00000000), ref: 00432D24
SelectObject.GDI32(?,00000000), ref: 00432D37
DeleteObject.GDI32(?), ref: 00432D40
SelectPalette.GDI32(?,00000000,00000000), ref: 00432D62
DeleteDC.GDI32(?), ref: 00432D6B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: a04f30a74c40dbf7e93a2f238fa9aa79fd4f271c7360f3957c125c04d716e3a9
Instruction ID: d034b4618e2972aea62039f1f7d2ad1cccad53cf4b3874f5b84d587d1a16ec0b
Opcode Fuzzy Hash: a04f30a74c40dbf7e93a2f238fa9aa79fd4f271c7360f3957c125c04d716e3a9
Instruction Fuzzy Hash: 438193B1A00249AFDB50DEA9CD85FAF77FCAB0C714F110559F618F7292C678AD008B69

Uniqueness

Uniqueness Score: -1.00%

Function 00434B10, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000054,?,00000000,?,?), ref: 00434B33
GetDC.USER32(00000000), ref: 00434B61
CreateCompatibleDC.GDI32(?), ref: 00434B72
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00434B8D
SelectObject.GDI32(?,00000000), ref: 00434BA7
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00434BC9
CreateCompatibleDC.GDI32(?), ref: 00434BD7
SelectObject.GDI32(00000000,00000000), ref: 00434C1F
SelectPalette.GDI32(00000000,?,00000000), ref: 00434C32
RealizePalette.GDI32(00000000), ref: 00434C3B
SelectPalette.GDI32(?,?,00000000), ref: 00434C47
RealizePalette.GDI32(?), ref: 00434C50
SetBkColor.GDI32(00000000,00000000), ref: 00434C5A
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00434C7E
SetBkColor.GDI32(00000000,00000000), ref: 00434C88
SelectObject.GDI32(00000000,00000000), ref: 00434C9B
DeleteObject.GDI32(00000000), ref: 00434CA7
DeleteDC.GDI32(00000000), ref: 00434CBD
SelectObject.GDI32(?,00000000), ref: 00434CD8
DeleteDC.GDI32(00000000), ref: 00434CF4
ReleaseDC.USER32 ref: 00434D05

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: c3fbc05cf5805c8685c1b67128c962a0d125028280f5df3cea1153d378d76d2c
Instruction ID: 453225a8cb8d6c2ada6f79124b4d1807b40c4de9b1724858bfa0f1eafd7650ad
Opcode Fuzzy Hash: c3fbc05cf5805c8685c1b67128c962a0d125028280f5df3cea1153d378d76d2c
Instruction Fuzzy Hash: 8B51EDB1E00244ABDB10DAE9CC55FAFB7FCAB4C704F11546AB614E7292D678AD408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00435ECC, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 352windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0043613C
CreateCompatibleDC.GDI32(00000001), ref: 004361A1
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004361B6
SelectObject.GDI32(?,00000000), ref: 004361C0
SelectPalette.GDI32(?,?,00000000), ref: 004361F0
RealizePalette.GDI32(?), ref: 004361FC
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00436220
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00436279,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0043622E
SelectPalette.GDI32(?,00000000,000000FF), ref: 00436260
SelectObject.GDI32(?,?), ref: 0043626D
DeleteObject.GDI32(00000000), ref: 00436273

Strings

BM, xrefs: 00435FF2
(, xrefs: 00436087

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: 9986afa8ea7f606e4d60f232d2bccb231128b627306d268a3973eaa9e3b6380a
Instruction ID: eff55196e3ae19b50b87c52a8b78c27d512031dc7caedbe13f64567dd075d7fd
Opcode Fuzzy Hash: 9986afa8ea7f606e4d60f232d2bccb231128b627306d268a3973eaa9e3b6380a
Instruction Fuzzy Hash: 5CD15E70A00219AFDF14DFA9C885AAEBBF5EF4D304F11906AE900A7395D7389D40CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004FE294, Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 268COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,004FE668,?,?,00000000,?,00000000,00000000,?,004FEB16,00000000,004FEB20,?,00000000), ref: 004FE31B
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668,?,?,00000000,?,00000000,00000000), ref: 004FE341
MsgWaitForMultipleObjects.USER32 ref: 004FE362
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668,?,?,00000000,?,00000000), ref: 004FE377

Part of subcall function 0047F29C: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,0047F333,?,?,?,00000001,?,004B0D32,00000000,004B0D9F), ref: 0047F2D1

Strings

.msg, xrefs: 004FE39A
.lst, xrefs: 004FE3B4
Inno-Setup-RegSvr-Mutex, xrefs: 004FE325
/REGU, xrefs: 004FE2EE
/REG, xrefs: 004FE2CA
Setup, xrefs: 004FE306

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ShowWindow$FileModuleMultipleNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 66301061-3672972446
Opcode ID: 1f8d8fba5d94febdb4b793ef835f61ab8a124ffddd58331bde0fad4704104bd4
Instruction ID: 3eb728371c213ff15b7bf5068121ca3ff1519d47c4d722a15f1148c1838efd6d
Opcode Fuzzy Hash: 1f8d8fba5d94febdb4b793ef835f61ab8a124ffddd58331bde0fad4704104bd4
Instruction Fuzzy Hash: 9A91D430A042089FDB10EBA6C851BBE77F4EB09709F51446AFA00EB7A2D77D9D05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004B6018, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004B62D8,?,?,?,?,00000005,00000000,00000000,?,?,004B76B1,00000000,00000000,?,00000000), ref: 004B618C

Strings

Failed to delete the file; it may be in use (%d)., xrefs: 004B626F
.hlp, xrefs: 004B6055
The file appears to be in use (%d). Will delete on restart., xrefs: 004B61D5
.chw, xrefs: 004B60D3
.gid, xrefs: 004B606E
Stripped read-only attribute., xrefs: 004B6165
.fts, xrefs: 004B6092
.chm, xrefs: 004B60BA
Failed to strip read-only attribute., xrefs: 004B6171
Deleting file: %s, xrefs: 004B612B
.lnk, xrefs: 004B60F9

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 231f31e1a01902f5494e254cb3f013c92d2622764f013a730e72b0ac363cfa6e
Instruction ID: 7ed9f04ec13f5c3f5660eb524a497fab973c0e9aa021cbf78e872c09f34b2f30
Opcode Fuzzy Hash: 231f31e1a01902f5494e254cb3f013c92d2622764f013a730e72b0ac363cfa6e
Instruction Fuzzy Hash: 57719130B042445BEB15EB6E88427EE77A99F49708F52856BF801AB382CB7CDD05877D

Uniqueness

Uniqueness Score: -1.00%

Function 004352F8, Relevance: 22.8, APIs: 15, Instructions: 253windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435C44: GetDC.USER32(00000000), ref: 00435C9A
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00435CAF
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00435CB9
Part of subcall function 00435C44: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004341AB,00000000,00434237), ref: 00435CDD
Part of subcall function 00435C44: ReleaseDC.USER32 ref: 00435CE8

SelectPalette.GDI32(?,?,000000FF), ref: 0043533B
RealizePalette.GDI32(?), ref: 0043534A
GetDeviceCaps.GDI32(?,0000000C), ref: 0043535C
GetDeviceCaps.GDI32(?,0000000E), ref: 0043536B
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0043539E
SetStretchBltMode.GDI32(?,00000004), ref: 004353AC
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004353C4
SetStretchBltMode.GDI32(00000000,00000003), ref: 004353E1
CreateCompatibleDC.GDI32(00000000), ref: 00435442
SelectObject.GDI32(?,?), ref: 00435457
SelectObject.GDI32(?,00000000), ref: 004354B6
DeleteDC.GDI32(00000000), ref: 004354C5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: ebcacab3fa35a37b79342335726d59e6d4aef8331e7f4ab6f0e9e340394c0815
Instruction ID: b5d8e392f58817c240ef4e125c29d8db9c785a17438bdfc93f214cfefec58dac
Opcode Fuzzy Hash: ebcacab3fa35a37b79342335726d59e6d4aef8331e7f4ab6f0e9e340394c0815
Instruction Fuzzy Hash: 5D9128B1A00645AFDB10DFA9C985F5EBBF8AF0C304F14955AF548E7292D678ED00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043504C, Relevance: 22.8, APIs: 15, Instructions: 252windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435C44: GetDC.USER32(00000000), ref: 00435C9A
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00435CAF
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00435CB9
Part of subcall function 00435C44: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004341AB,00000000,00434237), ref: 00435CDD
Part of subcall function 00435C44: ReleaseDC.USER32 ref: 00435CE8

SelectPalette.GDI32(?,?,000000FF), ref: 0043508F
RealizePalette.GDI32(?), ref: 0043509E
GetDeviceCaps.GDI32(?,0000000C), ref: 004350B0
GetDeviceCaps.GDI32(?,0000000E), ref: 004350BF
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 004350F2
SetStretchBltMode.GDI32(?,00000004), ref: 00435100
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00435118
SetStretchBltMode.GDI32(00000000,00000003), ref: 00435135
CreateCompatibleDC.GDI32(00000000), ref: 00435196
SelectObject.GDI32(?,?), ref: 004351AB
SelectObject.GDI32(?,00000000), ref: 0043520A
DeleteDC.GDI32(00000000), ref: 00435219

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: 62c92d5eb5b0f851de4766f09de334abd94ffe329039d1bf9da3c2145fdab174
Instruction ID: 233bef55b0a36d45384dfab345ca70d5732d401be5eec45ae4de51717a1343c1
Opcode Fuzzy Hash: 62c92d5eb5b0f851de4766f09de334abd94ffe329039d1bf9da3c2145fdab174
Instruction Fuzzy Hash: 739119B1600645AFDB10DFADC985F5AB7F8AF0C304F10956AB518EB392D678ED01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0043295C, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00432973
CreateCompatibleDC.GDI32(00000000), ref: 0043297D
GetObjectW.GDI32(?,00000018,?,00000000,00432AAA,?,00000000,00000000), ref: 0043299D
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004329B4
GetDC.USER32(00000000), ref: 004329C0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004329ED
ReleaseDC.USER32 ref: 00432A13
SelectObject.GDI32(?,?), ref: 00432A2E
SelectObject.GDI32(?,00000000), ref: 00432A3D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00432A69
SelectObject.GDI32(?,00000000), ref: 00432A77
SelectObject.GDI32(?,00000000), ref: 00432A85
DeleteDC.GDI32(?), ref: 00432A9B
DeleteDC.GDI32(?), ref: 00432AA4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 67ab257ed31fe3c35b11b87cb29eb0e762719229e517f1d8f41f5d0c193293e7
Instruction ID: 38e763b2fcd98df08a58da3a1b598358b1fd906435b550cf8b27876f91933237
Opcode Fuzzy Hash: 67ab257ed31fe3c35b11b87cb29eb0e762719229e517f1d8f41f5d0c193293e7
Instruction Fuzzy Hash: 2141D171A44245AFDB10EAE5C942FAFB7BCEF4C704F104426B614F7282D6B85D008B64

Uniqueness

Uniqueness Score: -1.00%

Function 00464A68, Relevance: 19.7, APIs: 13, Instructions: 248COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00464A9C
GetClientRect.USER32 ref: 00464ABF
GetWindowRect.USER32 ref: 00464AD1
MapWindowPoints.USER32 ref: 00464AE7
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?,00000000,00464D13), ref: 00464B12
InflateRect.USER32(?,00000000,00000000), ref: 00464B30
GetWindowLongW.USER32(00000000,000000F0), ref: 00464B4A
DrawEdge.USER32(?,?,?,00000008), ref: 00464C4D
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00464C66
GetRgnBox.GDI32(?,?), ref: 00464C9C
MapWindowPoints.USER32 ref: 00464CB2
FillRect.USER32 ref: 00464CEE
ReleaseDC.USER32 ref: 00464D0D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Rect$Window$ClipPoints$ClientDrawEdgeExcludeFillInflateIntersectLongRelease
String ID:
API String ID: 2031318930-0
Opcode ID: 929bc25df9136436eb58daf1e673143fc4020073515f4d91462beb04d9145b3c
Instruction ID: 0155a2863fffdc0196f5b0701a23c8aa15aef842e6437626ca87ec07e7373c89
Opcode Fuzzy Hash: 929bc25df9136436eb58daf1e673143fc4020073515f4d91462beb04d9145b3c
Instruction Fuzzy Hash: FDA14871E00108AFCF00DBA9C885EDEB3F9AF49304F1440AAF555BB292D779AE05DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004AF218, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,004AF4B6,?,?,00000003,00000000,00000000,004AF4FA), ref: 004AF335

Part of subcall function 0048087C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,004AA95E,00000000,004AA9AF,?,004AAB90), ref: 0048089B

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,004AF3F4,?,?,00000000,00000000,?,00000000,?,00000000), ref: 004AF3B6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,004AF3F4,?,?,00000000,00000000,?,00000000,?,00000000), ref: 004AF3DD

Strings

, xrefs: 004AF2A8
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004AF28E
RegOpenKeyEx, xrefs: 004AF2B1
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004AF255

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 1047427617db9f01138e030802cbe8996f5a1aa5b76d11ba202c3c5697f9fe88
Instruction ID: 8a6419bcb2791a53381d1124d8102056986f61b08075e087aff4c54e65d8dbb1
Opcode Fuzzy Hash: 1047427617db9f01138e030802cbe8996f5a1aa5b76d11ba202c3c5697f9fe88
Instruction Fuzzy Hash: FE911171A04209ABDF10DBE5C892BEEB7B9EB59304F10443BF901E7281D7789949CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004B4968, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004B4B71,?,004B4800,?,00000000,00000000,00000000,?,?,004B4DDC,00000000), ref: 004B4A15
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004B4B71,?,004B4800,?,00000000,00000000,00000000,?,?,004B4DDC,00000000), ref: 004B4A7F
RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,004B4B71,?,004B4800,?,00000000,00000000,00000000,?), ref: 004B4AE6

Strings

v2.0.50727, xrefs: 004B4A71
v4.0.30319, xrefs: 004B4A07
.NET Framework not found, xrefs: 004B4B32
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004B4A9A
.NET Framework version %s not found, xrefs: 004B4B1E
v1.1.4322, xrefs: 004B4AD8
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004B49C9
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 004B4A33

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Close
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 3535843008-446240816
Opcode ID: c5b0e8f074c58c51fa53ea64b8e7f46607270bbfbbbb95d6cf28a79360552fdf
Instruction ID: f881368aafa08851e714dee7e30283df294346eba548115743bb45c6a3e968b3
Opcode Fuzzy Hash: c5b0e8f074c58c51fa53ea64b8e7f46607270bbfbbbb95d6cf28a79360552fdf
Instruction Fuzzy Hash: D0512830A441455BEF04DBA5C8A1BFE77B6EB89304F15446BE641A7382DB3CAE05C778

Uniqueness

Uniqueness Score: -1.00%

Function 004B3C38, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 004B3C6F
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004B3C8B
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004B3C99
GetExitCodeProcess.KERNEL32 ref: 004B3CAA
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004B3CF1
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004B3D0D

Strings

Helper process exited with failure code: 0x%x, xrefs: 004B3CD7
Helper isn't responding; killing it., xrefs: 004B3C7B
Helper process exited, but failed to get exit code., xrefs: 004B3CE3
Stopping 64-bit helper process. (PID: %u), xrefs: 004B3C61
Helper process exited., xrefs: 004B3CB9

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 06f3ef80aafb513be0f09159df45a0cd0fd28d7cf1dcd1014fbdc6a2d15fbb3b
Instruction ID: deec9dac3fc8b960488050039533138a1d0b3bc7324053a46838c889ec8e3acf
Opcode Fuzzy Hash: 06f3ef80aafb513be0f09159df45a0cd0fd28d7cf1dcd1014fbdc6a2d15fbb3b
Instruction Fuzzy Hash: 61213D71604700AAD720EFBAC545B8BBBE49F48305F00CD2FB59AD7292D779E940877A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A17C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 0040A194
RegisterWindowMessageW.USER32(MSWHEEL_ROLLMSG), ref: 0040A1A0
RegisterWindowMessageW.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 0040A1AF
RegisterWindowMessageW.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 0040A1BB
SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040A1D3
SendMessageW.USER32(00000000,?,00000000,00000000), ref: 0040A1F7

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040A1B6
Magellan MSWHEEL, xrefs: 0040A18A
MSH_WHEELSUPPORT_MSG, xrefs: 0040A1AA
MSWHEEL_ROLLMSG, xrefs: 0040A19B
MouseZ, xrefs: 0040A18F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: 0fcbb077c07ff9882cc84d3a635bcd3c9e7a428d890ea6953327f829dce1e87a
Instruction ID: de916b79933dc1f45b9434af41ef309634a34aa5b2f0f2deb7c1e5ace83fab2d
Opcode Fuzzy Hash: 0fcbb077c07ff9882cc84d3a635bcd3c9e7a428d890ea6953327f829dce1e87a
Instruction Fuzzy Hash: 2A114C70244302AFE7109F65C882B66B7A8EF85714F20447AB844AB3C2E7B95D50CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004AEE2C, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 238registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FCE8: RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0047FD14

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004AF007,?,00000000,004AF0E1), ref: 004AEF57
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,?,00000000,00000000,?,00000000,?,00000000,004AF007,?,00000000), ref: 004AF09F

Part of subcall function 0048087C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,004AA95E,00000000,004AA9AF,?,004AAB90), ref: 0048089B

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004AEE71
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004AEEA1
, xrefs: 004AEEBB
RegCreateKeyEx, xrefs: 004AEEC4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: d5e80d81e0fe594d1050ec4372eeccfc86411ae5c60fa50a63698d802019899c
Instruction ID: f51b78526bea01417bc40a53339b9dfd601407e58267c8bc684484e66f61ddad
Opcode Fuzzy Hash: d5e80d81e0fe594d1050ec4372eeccfc86411ae5c60fa50a63698d802019899c
Instruction Fuzzy Hash: 31910C71E00209AFDB10DFE5C982BEEB7B9EB59304F10402AF615F7281D7799A05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042DFF4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E02D
GetSystemMetrics.USER32 ref: 0042E052
GetSystemMetrics.USER32 ref: 0042E05D
GetClipBox.GDI32(?,?), ref: 0042E06F
GetDCOrgEx.GDI32(?,?), ref: 0042E07C
OffsetRect.USER32(?,?,?), ref: 0042E095
IntersectRect.USER32 ref: 0042E0A6
IntersectRect.USER32 ref: 0042E0BC

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(77400000,00000000), ref: 0042DA08

Strings

EnumDisplayMonitors, xrefs: 0042E00C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: df85d8297e30fa34f0bcdb85626337a3b9893c1de04d62d82588ca40d079c9bb
Instruction ID: 17e93728b5bac92616dfb3de875bf7fe68592ef80e8b2d6e5b976c28df33e635
Opcode Fuzzy Hash: df85d8297e30fa34f0bcdb85626337a3b9893c1de04d62d82588ca40d079c9bb
Instruction Fuzzy Hash: 03311371E00229AFDB10DFA6DC45AEF77BCAB05300F508127F915E3241E7B89D068BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004117B8, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004115CC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00411778), ref: 004115FF
Part of subcall function 004115CC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00411623
Part of subcall function 004115CC: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 0041163E
Part of subcall function 004115CC: LoadStringW.USER32(00000000,0000FFE8,?,00000100), ref: 004116D9

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004118DD), ref: 00411819
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041184C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041185E
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00411864
GetStdHandle.KERNEL32(000000F4,004118F8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00411878
WriteFile.KERNEL32(00000000,000000F4,004118F8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041187E
LoadStringW.USER32(00000000,0000FFE9,?,00000040), ref: 004118A2
MessageBoxW.USER32(00000000,?,?,00002010), ref: 004118BC

Strings

T`P, xrefs: 004117E8
,cP, xrefs: 004117F6

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID: ,cP$T`P
API String ID: 135118572-1769061119
Opcode ID: e85cd00e3fadecd4307acb4d1cb4f21b86297b3514c68a4c792a88d937c25996
Instruction ID: 471c6785c0ee82aab6a22840cb033e6b5eb0057a38e77fa62ffbaee161725c08
Opcode Fuzzy Hash: e85cd00e3fadecd4307acb4d1cb4f21b86297b3514c68a4c792a88d937c25996
Instruction Fuzzy Hash: 4C316471640204BEEB14EBA5DC42FDA73ACEB05704F50817AB705F61E2DE78AE448B68

Uniqueness

Uniqueness Score: -1.00%

Function 0046B708, Relevance: 16.6, APIs: 11, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000EC), ref: 0046B723
GetWindowRect.USER32 ref: 0046B73E
GetWindowDC.USER32(00000000,00000000,?,00000000,000000EC), ref: 0046B75E
GetWindowLongW.USER32(00000000,000000F0), ref: 0046B78F
GetSystemMetrics.USER32 ref: 0046B7A4
GetSystemMetrics.USER32 ref: 0046B7AD
InflateRect.USER32(?,000000FE,000000FE), ref: 0046B7BC
GetSysColorBrush.USER32(0000000F), ref: 0046B7E9
FillRect.USER32 ref: 0046B7F7
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0046B85E,?,00000000,00000000,?,00000000,000000EC), ref: 0046B81C
ReleaseDC.USER32 ref: 0046B858

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: RectWindow$LongMetricsSystem$BrushClipColorExcludeFillInflateRelease
String ID:
API String ID: 3669760922-0
Opcode ID: eeae7e770ddfedc8e096b4bdded71674067e5f9e257c7ff1727a0606b8e2303f
Instruction ID: cb067baf5e6f3ff7adda9588435dc5e2549230893bec59f4811e0cfedf4ca4aa
Opcode Fuzzy Hash: eeae7e770ddfedc8e096b4bdded71674067e5f9e257c7ff1727a0606b8e2303f
Instruction Fuzzy Hash: 84412271A00109ABCB01EEE9DD42EDFB7BDEF45314F10056AF504F7292DA39AE4586A8

Uniqueness

Uniqueness Score: -1.00%

Function 004FC5AC, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004AE0F8: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,004AE233), ref: 004AE1E3
Part of subcall function 004AE0F8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,004AE233), ref: 004AE1F3

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,004FC79A), ref: 004FC62F
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,004FC79A), ref: 004FC656
SetWindowLongW.USER32 ref: 004FC690
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004FC763,?,?,000000FC,004FBC7C,00000000,00400000,00000000), ref: 004FC6C5
MsgWaitForMultipleObjects.USER32 ref: 004FC739
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004FC763,?,?,000000FC,004FBC7C,00000000), ref: 004FC747

Part of subcall function 004AE5E8: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004AE6CE

DestroyWindow.USER32(?,004FC76A,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004FC763,?,?,000000FC,004FBC7C,00000000,00400000), ref: 004FC75D

Strings

STATIC, xrefs: 004FC676
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 004FC6F4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1779715363-2312673372
Opcode ID: bb0a1d58dc9730d7f8a2b7c8d2ad98e5e980f1696d137b7c62bec5e9d4ac99e1
Instruction ID: 9394d469103984081b8070ca8c9da3098e8e46f8cc4b19dc7d3383a2947fd714
Opcode Fuzzy Hash: bb0a1d58dc9730d7f8a2b7c8d2ad98e5e980f1696d137b7c62bec5e9d4ac99e1
Instruction Fuzzy Hash: F6418F70A0420DAFDB00EBB5DD82AAE77F8EB49714F11447AF600F7292D7789D048B69

Uniqueness

Uniqueness Score: -1.00%

Function 004B3EE8, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,004B40CB,?,00000000,004B4126,?,?,00000000,00000000), ref: 004B3F45
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,004B4060,?,00000000,000000FF,00000000,00000000,00000000,004B40CB), ref: 004B3FA2
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,004B4060,?,00000000,000000FF,00000000,00000000,00000000,004B40CB), ref: 004B3FAF
MsgWaitForMultipleObjects.USER32 ref: 004B3FFB
GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,004B4039,00000000,00000000), ref: 004B4025
GetLastError.KERNEL32(?,?,00000000,000000FF,004B4039,00000000,00000000), ref: 004B402C

Part of subcall function 004ADC34: GetLastError.KERNEL32(00000000,004AE8EE,00000005,00000000,004AE916,?,?,00000000,0050B17C,00000000,00000000,00000000,?,004FE26B,00000000,004FE286), ref: 004ADC37

Strings

CreateEvent, xrefs: 004B3F53
TransactNamedPipe, xrefs: 004B3FBB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: d41c076aab5ca5aa672fdfbe4c0190c1a5b429e4ba5df00348c985c53437eb35
Instruction ID: 572424b8a66cefc517f0d58de0df098976b66a94bdf311a11413d49a6a870913
Opcode Fuzzy Hash: d41c076aab5ca5aa672fdfbe4c0190c1a5b429e4ba5df00348c985c53437eb35
Instruction Fuzzy Hash: 88419F71A00208AFDB11DF99CD81FDEB7B8EB48714F1041A6F604E7792D6389E40CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00461058, Relevance: 15.2, APIs: 10, Instructions: 231windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00461170
SaveDC.GDI32(?), ref: 00461193
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004611D3
RestoreDC.GDI32(?,00460FF2), ref: 004611FF

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Rect$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 1976014923-0
Opcode ID: 5bae6500ca95418954d825d7738d8aef3fc79c48208f7b9a0dbf1543cda5ba6d
Instruction ID: 70bf75537bb4c82ba56664f7d13cedc9c30fb57d843eda755662797bc73f88d8
Opcode Fuzzy Hash: 5bae6500ca95418954d825d7738d8aef3fc79c48208f7b9a0dbf1543cda5ba6d
Instruction Fuzzy Hash: 9591DA70A002499FDB04DF99C485FAE7BF5AF08314F1844A6E944EB3A6E779ED80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004319C0, Relevance: 15.2, APIs: 10, Instructions: 224windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431F94
Part of subcall function 00431F8C: LeaveCriticalSection.KERNEL32(0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FA1
Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(?,0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FAA

CreateCompatibleDC.GDI32(00000000), ref: 00431A64
SelectObject.GDI32(?,?), ref: 00431A74
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 00431B6E
SetTextColor.GDI32(?,00000000), ref: 00431B7C
SetBkColor.GDI32(?,00FFFFFF), ref: 00431B90
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 00431BC3
SetTextColor.GDI32(?,?), ref: 00431BD3
SetBkColor.GDI32(?,?), ref: 00431BE3
SelectObject.GDI32(?,00000000), ref: 00431C13
DeleteDC.GDI32(?), ref: 00431C1C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Color$CriticalSection$EnterObjectSelectStretchText$CompatibleCreateDeleteLeave
String ID:
API String ID: 675119849-0
Opcode ID: 8a08fb87f795b743e4a3fb426b2e1ff442c03de0321d93f1b4480fba7d9b12ca
Instruction ID: 55b5369e7ab9b0c3b841e8dead2fdba73e69d290c251e6a16fb1218067166020
Opcode Fuzzy Hash: 8a08fb87f795b743e4a3fb426b2e1ff442c03de0321d93f1b4480fba7d9b12ca
Instruction Fuzzy Hash: 12919475A00548AFCB40DFA9C985E9EBBF8AF0D304F5494AAF548EB361C634ED41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004613E4, Relevance: 15.2, APIs: 10, Instructions: 197COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 00461401

Part of subcall function 004595F0: GetWindowOrgEx.GDI32(?), ref: 004595FE
Part of subcall function 004595F0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00459614

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0046143A
GetWindowLongW.USER32(00000000,000000EC), ref: 0046144E
GetWindowLongW.USER32(00000000,000000F0), ref: 0046146F
SetRect.USER32 ref: 004614CF
IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 0046153F

Part of subcall function 00461338: SaveDC.GDI32(?), ref: 00461348
Part of subcall function 00461338: ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004613CC,?,?), ref: 00461389
Part of subcall function 00461338: RestoreDC.GDI32(?,?), ref: 004613C6

SetRect.USER32 ref: 00461560
DrawEdge.USER32(?,?,00000000,00000000), ref: 0046156F
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00461598
RestoreDC.GDI32(?,?), ref: 00461617

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Rect$ClipWindow$Intersect$LongRestoreSave$DrawEdgeExclude
String ID:
API String ID: 3997055466-0
Opcode ID: 9950d6781ff9d5eff8a3b138a105516a1338cfa7fd7f969085f4e9ccafa65fe7
Instruction ID: a3dab8811c78afcc05711a0e437cf01292ecd1c8eff3016d8288169c54e726f2
Opcode Fuzzy Hash: 9950d6781ff9d5eff8a3b138a105516a1338cfa7fd7f969085f4e9ccafa65fe7
Instruction Fuzzy Hash: E2713C75A00248AFDB10DF99C981F9EB7B8AF48304F144196F901EB3A2D738EE41DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00438250, Relevance: 15.1, APIs: 10, Instructions: 89synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00438260
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00438281
InterlockedExchangeAdd.KERNEL32(?,?), ref: 004382B5
LeaveCriticalSection.KERNEL32(?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382BB
WaitForSingleObject.KERNEL32(?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382C8
SetLastError.KERNEL32(000005B4,?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382E2
SetLastError.KERNEL32(00000000,?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382F5
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 004382FB
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00438312
CloseHandle.KERNEL32(?,0043833C,?,?,?,00000000,00438331,?,00000000,00000000,00000000,00000000), ref: 0043832B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CriticalErrorExchangeInterlockedLastSection$CloseCreateCurrentEnterEventHandleLeaveObjectSingleThreadWait
String ID:
API String ID: 3135347424-0
Opcode ID: 4317fbac339508849a70549e1364c8cb1baa0aa9349f82636f7eca3f1ffe1f83
Instruction ID: fb9ba88145ea954a72c7c5af2f89dabbe07526b79f7e1da62e59565462d38d92
Opcode Fuzzy Hash: 4317fbac339508849a70549e1364c8cb1baa0aa9349f82636f7eca3f1ffe1f83
Instruction Fuzzy Hash: 30219871604304AADB11DFA58C41B9EB7A8DB09704F1484ABF904EB283DA7D9D018769

Uniqueness

Uniqueness Score: -1.00%

Function 0047697C, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004769C7
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004769E5
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004769F2
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004769FF
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00476A0C
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00476A19
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00476A26
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00476A33
EnableMenuItem.USER32 ref: 00476A51
EnableMenuItem.USER32 ref: 00476A6D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: a1d30e067c49b3b3c213278b205c02e8b56284789c34e07f7c99cda3d534d6d0
Instruction ID: 3e74fcead3795c671015783c1ea3a2708ce59c5f7749655310bb817073437509
Opcode Fuzzy Hash: a1d30e067c49b3b3c213278b205c02e8b56284789c34e07f7c99cda3d534d6d0
Instruction Fuzzy Hash: F0213D703857007AE760EA25CC8EF997AE9AB05718F05C4A5B6487F6E3D6B8A9409708

Uniqueness

Uniqueness Score: -1.00%

Function 0042A928, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042A935
CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0042A9A7
EnterCriticalSection.KERNEL32(0050AE80,00000000,0042AAC5), ref: 0042A9CF
LeaveCriticalSection.KERNEL32(0050AE80,00000000,0042AA9E,?,0050AE80,00000000,0042AAC5), ref: 0042AA46
WaitForSingleObject.KERNEL32(?,000000FF,00000000,0042AA7F,?,0050AE80,00000000,0042AA9E,?,0050AE80,00000000,0042AAC5), ref: 0042AA62
EnterCriticalSection.KERNEL32(0050AE80,0042AA86,0042AA7F,?,0050AE80,00000000,0042AA9E,?,0050AE80,00000000,0042AAC5), ref: 0042AA79

Strings

<`P, xrefs: 0042A93A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
String ID: <`P
API String ID: 1504017990-3701931957
Opcode ID: a0a868ddf7b571b4cfe4ed518fc0739341e7f410b2c26d0775e730190c8cbfbf
Instruction ID: 17154e124857e5c90f5ddf3bfa5372f0e28820bbf0dea9b126f489a5461829d8
Opcode Fuzzy Hash: a0a868ddf7b571b4cfe4ed518fc0739341e7f410b2c26d0775e730190c8cbfbf
Instruction Fuzzy Hash: 0B41EF30B04200EFD711DFA5D941A6DBBF5EF49300FA584A6EC04A73A2C3799D54DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 004B1A74, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,004B1B8E,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004B6989,00000000,004B699D), ref: 004B1A9A

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004B1ADE

Part of subcall function 004ADC34: GetLastError.KERNEL32(00000000,004AE8EE,00000005,00000000,004AE916,?,?,00000000,0050B17C,00000000,00000000,00000000,?,004FE26B,00000000,004FE286), ref: 004ADC37

Strings

ITypeLib::GetLibAttr, xrefs: 004B1B06
GetProcAddress, xrefs: 004B1AAD
OLEAUT32.DLL, xrefs: 004B1A95
UnRegisterTypeLib, xrefs: 004B1A90
LoadTypeLib, xrefs: 004B1AE9
UnRegisterTypeLib, xrefs: 004B1B3C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: d7b15ebabe7a39319ed6deef3d8ceb5cc2e333aa4e658892d93ab267dd6d7464
Instruction ID: 191c21c4325eb05eb286a33cca918340d22c846504a666f5b8da60ef90ebdb10
Opcode Fuzzy Hash: d7b15ebabe7a39319ed6deef3d8ceb5cc2e333aa4e658892d93ab267dd6d7464
Instruction Fuzzy Hash: 11219171A04104AFDB04EBAACC52DABB7FDEF89700391846AB400D7261EA78ED01C778

Uniqueness

Uniqueness Score: -1.00%

Function 004802FC, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6,?,00000000), ref: 00480323

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6,?,00000000), ref: 00480376

Strings

kernel32.dll, xrefs: 0048031E
Locale, xrefs: 00480365
GetUserDefaultUILanguage, xrefs: 00480319
.DEFAULT\Control Panel\International, xrefs: 0048034D
Control Panel\Desktop\ResourceLocale, xrefs: 00480385

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: c5e829451cd05b18ee2f2a9ff1e00738ed66af31cb2052497c1b5869e93cb722
Instruction ID: 04bd3f871a73b1d1c362cdd5e7ddb51ae15ac1bd370bfaf3e4d8d8d317905ba8
Opcode Fuzzy Hash: c5e829451cd05b18ee2f2a9ff1e00738ed66af31cb2052497c1b5869e93cb722
Instruction Fuzzy Hash: CE214630A50209AFDB50FBE5CD51B9EB7E9EB44704F514877AA00E7281E77CAE09CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF4, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000), ref: 0040502D
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5,?,?,?,00000002,004051BA,00403127,0040316E,?), ref: 00405033
GetStdHandle.KERNEL32(000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 00405048
WriteFile.KERNEL32(00000000,000000F5,00405080,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004050A5), ref: 0040504E
MessageBoxA.USER32 ref: 0040506C

Strings

Runtime error at 00000000, xrefs: 00405026, 00405065
,cP, xrefs: 00405012
Error, xrefs: 00405060

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: ,cP$Error$Runtime error at 00000000
API String ID: 1570097196-4047953566
Opcode ID: 6c7604eda5c4a0ce1aa4cc839e6402abadb8f35502979381c1b1512bad27fe2a
Instruction ID: aff957db733e422e874226c42b257deaddd16d96984e274b0132c5c61b15b77c
Opcode Fuzzy Hash: 6c7604eda5c4a0ce1aa4cc839e6402abadb8f35502979381c1b1512bad27fe2a
Instruction Fuzzy Hash: 47F0246165434078EA20B3644C5AFDF2A589340F24F10067FF610F60E3C3BC44D8AAAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045ACF8, Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 0045AD33
MulDiv.KERNEL32(?,?,?), ref: 0045AD4D
MulDiv.KERNEL32(?,?,?), ref: 0045AD7B
MulDiv.KERNEL32(?,?,?), ref: 0045AD91
MulDiv.KERNEL32(?,?,?), ref: 0045ADBF
MulDiv.KERNEL32(?,?,?), ref: 0045ADD7

Part of subcall function 004310BC: MulDiv.KERNEL32(00000000,00000048,?), ref: 004310CD

MulDiv.KERNEL32(?), ref: 0045AE3A
MulDiv.KERNEL32(?), ref: 0045AE64
MulDiv.KERNEL32(00000000), ref: 0045AE8A

Part of subcall function 004310D8: MulDiv.KERNEL32(00000000,?,00000048), ref: 004310E5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb277bad611c346ff1991370ca033b106477e3967459932ce9857668bd030e1
Instruction ID: cbcf29d1df717e5467e7b58d9b1f3f7bb140d44b15be0f5f3a5574123752bf6b
Opcode Fuzzy Hash: cdb277bad611c346ff1991370ca033b106477e3967459932ce9857668bd030e1
Instruction Fuzzy Hash: A7513D716043509FC320EB69C845A6AFBFA9F49342F04491EB9D6C7763C678EC588B16

Uniqueness

Uniqueness Score: -1.00%

Function 004B3054, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 0047F740: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047F753

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004B3204,00000000, /s ",?,regsvr32.exe",?,004B3204), ref: 004B3172

Strings

D, xrefs: 004B3128
0x%x, xrefs: 004B3195
CreateProcess, xrefs: 004B3164
Spawning 32-bit RegSvr32: , xrefs: 004B3107
Spawning 64-bit RegSvr32: , xrefs: 004B30ED
regsvr32.exe", xrefs: 004B30A3
/s ", xrefs: 004B30CB
/u, xrefs: 004B30BE

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 23d869725129bdc58cbabc47fe0690b9511ee18618ca81e55f5f4136a1f5b3ac
Instruction ID: 66d8bbeefab001e93fd0daa37c0fcf61f05cf9f06ca673b2bfef83fab24dbd4d
Opcode Fuzzy Hash: 23d869725129bdc58cbabc47fe0690b9511ee18618ca81e55f5f4136a1f5b3ac
Instruction Fuzzy Hash: C0415570A00308ABDB14EFE6C882BCDB7B9AF48704F61417FA515B7681D7789A05CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0045BD50, Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0045BD87
GetDCEx.USER32(?,00000000,00000402), ref: 0045BD9A
SelectObject.GDI32(?,00000000), ref: 0045BDBD
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045BDE3
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045BE05
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045BE24
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045BE3E
SelectObject.GDI32(?,?), ref: 0045BE4B
ReleaseDC.USER32 ref: 0045BE65

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 651e5e5c19d1d13d558d056dbeb7af1607f996859c2e79d1d975022b1cf0822b
Instruction ID: f94388f2b7d02364f550420eeef9b479d6c3176f28fd23033ec12eb224202978
Opcode Fuzzy Hash: 651e5e5c19d1d13d558d056dbeb7af1607f996859c2e79d1d975022b1cf0822b
Instruction Fuzzy Hash: ED31FBB6A00259AFDB00DEEDCC85DAFBBFCEF09704B404469B504F7252C679AD048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412F90, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0041326E,?,?,00000000,00000000), ref: 00412FC6

Part of subcall function 00410FC0: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00410FDE

Strings

AMPM , xrefs: 004131F9
m/d/yy, xrefs: 0041309E
:mm:ss, xrefs: 00413226
:mm, xrefs: 00413209
mmmm d, yyyy, xrefs: 004130CB
AMPM, xrefs: 004131EA

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 509fd217e86747cf4497de6bfe02dd89315d88281094d8e9674e5b4908f219ef
Instruction ID: 7c054af7a516aab345ac8521e9f423a8792475cef51cfb87fefa8a466171e700
Opcode Fuzzy Hash: 509fd217e86747cf4497de6bfe02dd89315d88281094d8e9674e5b4908f219ef
Instruction Fuzzy Hash: 0F7187307001089BD700FBA5D842ADE76B5EB88308F50847BB501AB786CE7DDE86975D

Uniqueness

Uniqueness Score: -1.00%

Function 004169E4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00416A7D
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00416A99
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00416AD2
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00416B4F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00416B68
VariantCopy.OLEAUT32(?), ref: 00416B9D

Strings

, xrefs: 004169FE

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 86a953aee0689dc95b9e17fb1d0c1c85de9258122d554b9b854fedb9a6b6e88b
Instruction ID: 073c607dc89d15d92b45d7eff1d1d7c35c10424ae1d92f49a1c29152ec58865f
Opcode Fuzzy Hash: 86a953aee0689dc95b9e17fb1d0c1c85de9258122d554b9b854fedb9a6b6e88b
Instruction Fuzzy Hash: AE511CB590162D9BCB22DB59C881AD9B7FDAF49304F4141DAF508E7206D638EFC48F68

Uniqueness

Uniqueness Score: -1.00%

Function 0042A364, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042A36F
GetCurrentThreadId.KERNEL32 ref: 0042A37E

Part of subcall function 0042A318: ResetEvent.KERNEL32(00000220,0042A3B9), ref: 0042A31E

EnterCriticalSection.KERNEL32(0050AE80), ref: 0042A3C3
InterlockedExchange.KERNEL32(00502EC8,?), ref: 0042A3DF
LeaveCriticalSection.KERNEL32(0050AE80,00000000,0042A527,?,00502EC8,?,00000000,0042A546,?,0050AE80), ref: 0042A438
EnterCriticalSection.KERNEL32(0050AE80,0042A4D0,0050AE80,00000000,0042A527,?,00502EC8,?,00000000,0042A546,?,0050AE80), ref: 0042A4C3

Strings

<`P, xrefs: 0042A374

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: <`P
API String ID: 2189153385-3701931957
Opcode ID: 0b6060d9aeedb1a8e75a425ac120743075a509aa4ea98914767ca838747bc786
Instruction ID: 42fa02cbf40a98ce2fd9b3a1e65ae42f65c158ee23ab3f7ba28234894369a059
Opcode Fuzzy Hash: 0b6060d9aeedb1a8e75a425ac120743075a509aa4ea98914767ca838747bc786
Instruction Fuzzy Hash: 1B41CF30704310AFD711EF65E845A6EB7F8EB49304FA184A6EC0097692C77C9D55DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD24, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042DD55
SystemParametersInfoW.USER32 ref: 0042DD7C
GetSystemMetrics.USER32 ref: 0042DD91
GetSystemMetrics.USER32 ref: 0042DD9C
lstrcpyW.KERNEL32 ref: 0042DDC6

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(77400000,00000000), ref: 0042DA08

Strings

GetMonitorInfoW, xrefs: 0042DD3C
DISPLAY, xrefs: 0042DDBD

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 1539801207-2774842281
Opcode ID: 6013b80fee8828815b7bf70af07bb6106d25a2d168ece8b6bcdae926e03c5d5a
Instruction ID: f8a99659de7e936d26b859332dc36a9af10afe7b9189107396f3b145f37c3306
Opcode Fuzzy Hash: 6013b80fee8828815b7bf70af07bb6106d25a2d168ece8b6bcdae926e03c5d5a
Instruction Fuzzy Hash: C211D331B20B249FE720DF61EC447ABB7A9FF15710F40452EE85597290D3B5A808CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401E90, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,00000000,00401B02), ref: 00401F26
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00401B02), ref: 00401F40

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 640c5057a72c6dbb0422c9b9f9754700285ad1cf43a38a5375ac3ac175463c7f
Instruction ID: 2c2d5c02e637940cdaae66071fd82b231375502963bbe3d5c6e07b4922b04b4c
Opcode Fuzzy Hash: 640c5057a72c6dbb0422c9b9f9754700285ad1cf43a38a5375ac3ac175463c7f
Instruction Fuzzy Hash: 877111716042008FD725DB29CD84B2ABBD4AB95314F18C2BFE844AB3F2C778C845CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046C2BC, Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON

Download Yara Rule

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 0046C31B
ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,?,?), ref: 0046C3BC
SetTextColor.GDI32(00000000,00FFFFFF), ref: 0046C409
SetBkColor.GDI32(00000000,00000000), ref: 0046C411
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 0046C436

Part of subcall function 0046C294: ImageList_GetBkColor.COMCTL32(00000000,?,0046C2F5,00000000,?), ref: 0046C2AA

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ColorImageList_$Draw$Text
String ID:
API String ID: 2027629008-0
Opcode ID: e5902e12248b077f5dcf303b7e502621638e328100d3871dcddeedb462ad1493
Instruction ID: 0572dc63e4f83b290eea8cf668f5d6a7550ba7143290c0555269fa3e812d361c
Opcode Fuzzy Hash: e5902e12248b077f5dcf303b7e502621638e328100d3871dcddeedb462ad1493
Instruction Fuzzy Hash: EB512B71701105AFCB40EFAACDC2F9E37ACAF08314F54115AB904EB296CA78EC418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004B55E8, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004B576C,?,00000000,?), ref: 004B56AE

Part of subcall function 004AECF0: FindClose.KERNEL32(000000FF,004AEDE5), ref: 004AEDD4

Strings

Deleting directory: %s, xrefs: 004B5637
Stripped read-only attribute., xrefs: 004B5670
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004B5688
Failed to delete directory (%d)., xrefs: 004B5746
Failed to delete directory (%d). Will retry later., xrefs: 004B56C7
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 004B5725
Failed to strip read-only attribute., xrefs: 004B567C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 47220f836dccfbec71362dad6c5e34adae09152e1f72f2b7f61939b0aa391a1c
Instruction ID: a9663ac9cb91e778f4acd9085cc6da21d10970a72d262db760f8853ea0a8091c
Opcode Fuzzy Hash: 47220f836dccfbec71362dad6c5e34adae09152e1f72f2b7f61939b0aa391a1c
Instruction Fuzzy Hash: C541D330B04A049ACB01EB6E89413EEF7E5AF49318F50857BA41597391DFBC8D05877E

Uniqueness

Uniqueness Score: -1.00%

Function 0047C01C, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0047C042
IsWindowUnicode.USER32(00000000), ref: 0047C085
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 0047C0A0
SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 0047C0BF
GetWindowThreadProcessId.USER32(00000000), ref: 0047C0CE
GetWindowThreadProcessId.USER32(?,?), ref: 0047C0DF
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 0047C0FF

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 5ad7e739a11c1de0ba7bd1ff9b3dec43e2974d157b62f9ac315e289ccf3a9b78
Instruction ID: 61dab7ecd4aef365e16f5b47f15cac0b2b796b678c0681677c6b1ce3be4e1523
Opcode Fuzzy Hash: 5ad7e739a11c1de0ba7bd1ff9b3dec43e2974d157b62f9ac315e289ccf3a9b78
Instruction Fuzzy Hash: 02211E71204649AFD760EAA9CD81FA773DCDB14314B14C83EF95ED7283D629EC4087A9

Uniqueness

Uniqueness Score: -1.00%

Function 00432E94, Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00432EC2
GetDeviceCaps.GDI32(?,00000068), ref: 00432EDE
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00432EFD
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 00432F21
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00432F3F
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 00432F53
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00432F73
ReleaseDC.USER32 ref: 00432F8B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: b792980786c42040da24eeb03558754ace334723f50328ca1c6c73013d4e6fa9
Instruction ID: 0fb3abe7e5a41bd5da015c9731a084f43fd291a6ac1a4f8aaa109c0561839734
Opcode Fuzzy Hash: b792980786c42040da24eeb03558754ace334723f50328ca1c6c73013d4e6fa9
Instruction Fuzzy Hash: 382186B1A00218AADB10DBA9CD81FAE73BCEB4C708F5004A6F704F71D1D6799E409B28

Uniqueness

Uniqueness Score: -1.00%

Function 00402088, Relevance: 10.9, APIs: 7, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e564b932a5f1a7030e953fdf53f5065d19ad7c6e59cc17798857a132f335c3
Instruction ID: 3a69dfe832a6f357556f7e76a11f9f7263626d9ba2b87e85491605003e011a55
Opcode Fuzzy Hash: 15e564b932a5f1a7030e953fdf53f5065d19ad7c6e59cc17798857a132f335c3
Instruction Fuzzy Hash: 28C134727006004BD715AABD9D8936EB3869BC4325F18827FF604EB3E6DABCDC458758

Uniqueness

Uniqueness Score: -1.00%

Function 004029CC, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 277windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00402DA1

Strings

,jP, xrefs: 00402A1E
, xrefs: 00402CDA
n P, xrefs: 00402B4E
7, xrefs: 00402B44
,jP, xrefs: 00402AAB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Message
String ID: $,jP$,jP$7$n P
API String ID: 2030045667-1149660803
Opcode ID: af57426f23213b8dafdb8b48d17e070b8e70ace6ae1fa87f6a3311ab6e865782
Instruction ID: 416763a972b0038aff62a10e2b51163af9df47803db5e931e0c8ac85ecf44bce
Opcode Fuzzy Hash: af57426f23213b8dafdb8b48d17e070b8e70ace6ae1fa87f6a3311ab6e865782
Instruction Fuzzy Hash: D0B19330B042648BDB21EB2DCD88B9D77E4AB19304F1441FAE449E73D2DBB89D85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004655D8, Relevance: 10.7, APIs: 7, Instructions: 224COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00465875), ref: 0046576D
GetTickCount.KERNEL32 ref: 00465772

Part of subcall function 0045A758: KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,004C4A09,0000000C), ref: 0045A76B

SystemParametersInfoW.USER32 ref: 004657D1
SystemParametersInfoW.USER32 ref: 004657E9
AnimateWindow.USER32(00000000,00000064,?), ref: 0046582E
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00465875), ref: 0046583F
GetTickCount.KERNEL32 ref: 0046585C

Part of subcall function 00468FC4: GetCursorPos.USER32(?,00000000,00465805,00001018,00000000,00000000,00000000,00001016,00000000,?,00000000,00000000,000000FF,?,?,?), ref: 00468FC8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCallbackCursorDispatcherShowUser
String ID:
API String ID: 1093677395-0
Opcode ID: 9922876689ead085bb7576f6863f37b8734170d51829a19f452b2cd26020e8bc
Instruction ID: e997385fbbed9d50ae99d5e92f9fbd2ef5f0a51a6e024e9dd257720e51baa724
Opcode Fuzzy Hash: 9922876689ead085bb7576f6863f37b8734170d51829a19f452b2cd26020e8bc
Instruction Fuzzy Hash: FA8150746006049FDB10EF69C885A9EB7F5AF48304F1088BAF445EB352EB79ED45CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0044DDFC, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 217windowCOMMON

Download Yara Rule

APIs

InsertMenuItemW.USER32(?,000000FF,000000FF,00000030), ref: 0044E012

Part of subcall function 0044E388: CreateMenu.USER32(?,0044E28B,?,?,00000000,?,0044E213,?,00453545,004764A0), ref: 0044E3B3

GetVersion.KERNEL32(00000000,0044E0C4), ref: 0044DE99

Part of subcall function 0044E388: CreatePopupMenu.USER32(?,0044E28B,?,?,00000000,?,0044E213,?,00453545,004764A0), ref: 0044E3A6

InsertMenuW.USER32(?,000000FF,00000000,00000000,00000000), ref: 0044E085
InsertMenuW.USER32(?,000000FF,00000000,?,00000000), ref: 0044E0A1

Strings

?, xrefs: 0044DECA
,, xrefs: 0044DEC3

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 0b916a9719fc6844f23f4e682ebe6d2f59231ec73e720443bc127fb6521308d1
Instruction ID: bba3e7d28215330a891b0f6e6139d6a9adac1eccde4b56bc24ff52f653770e97
Opcode Fuzzy Hash: 0b916a9719fc6844f23f4e682ebe6d2f59231ec73e720443bc127fb6521308d1
Instruction Fuzzy Hash: 7B811130A00255AFEB60DF6AC980AAEB7F5BB05304F14406BF550E7792D378ED29DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004AE5E8, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004AE6CE

Strings

WININIT.INI, xrefs: 004AE67C
.tmp, xrefs: 004AE68A
[rename], xrefs: 004AE732, 004AE76E
NUL, xrefs: 004AE791
MoveFileEx, xrefs: 004AE8E4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 2df987f84cfa14fe61a8d226cca37f8dcb9cf46a908210a454c57c6ac6c70c7a
Instruction ID: 4f9e6d17b67b38806c5b220eb31912b83165e38f549e9769f448a7a62be43be8
Opcode Fuzzy Hash: 2df987f84cfa14fe61a8d226cca37f8dcb9cf46a908210a454c57c6ac6c70c7a
Instruction Fuzzy Hash: 29814174A002089FDF10EB96C882BDEB7B5EF5A308F50846AF91077391D779AD45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0047C868, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DD18: GetActiveWindow.USER32 ref: 0047DD3F
Part of subcall function 0047DD18: GetLastActivePopup.USER32(00000001), ref: 0047DD54

GetWindowRect.USER32 ref: 0047C8F3
SetWindowPos.USER32(00000001,00000000,?,?,00000000,00000000,0000001D,00000001,?), ref: 0047C92E
MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 0047C96D
SetWindowPos.USER32(00000001,00000000,?,?,00000000,00000000,0000001D,0047C9E6,00000000,00000000,0047C9DF), ref: 0047C9C0
SetActiveWindow.USER32(00000000,0047C9E6,00000000,00000000,0047C9DF), ref: 0047C9D1

Strings

(, xrefs: 0047C8CD

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: 0dafdfb7a07d314d126781bea1eb0c2a8c5848a38517362d8d77d90b476e0b16
Instruction ID: c27aebf2684b8ea1a1d832875631c6833832f8515d49a28bf35c7c281aaff68a
Opcode Fuzzy Hash: 0dafdfb7a07d314d126781bea1eb0c2a8c5848a38517362d8d77d90b476e0b16
Instruction Fuzzy Hash: 9D51EAB5A00208EFDB44DBA9C885FEEB7B5FB48304F148569F608E7395D674AD018B54

Uniqueness

Uniqueness Score: -1.00%

Function 004585C4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 136threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00458A04: WindowFromPoint.USER32(-000000F4,?,?,004585DE,?,-0000000C,?), ref: 00458A0A
Part of subcall function 00458A04: GetParent.USER32(00000000), ref: 00458A21

GetWindow.USER32(00000000,00000004), ref: 004585E6
GetCurrentThreadId.KERNEL32 ref: 004586BD
EnumThreadWindows.USER32(00000000,00458564,?), ref: 004586C3
GetWindowRect.USER32 ref: 004586DA

Part of subcall function 00457870: GetWindowThreadProcessId.USER32(00000000), ref: 0045787D
Part of subcall function 00457870: GetCurrentProcessId.KERNEL32(?,00000000,00000000,0047DF65,?,00000000,?,00000001,0047C338,?,00000000,00000200,0000020A,00000001), ref: 00457886
Part of subcall function 00457870: GlobalFindAtomW.KERNEL32(00000000), ref: 0045789B
Part of subcall function 00457870: GetPropW.USER32 ref: 004578B2

Strings

(GE, xrefs: 00458704
0bE, xrefs: 0045867D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Thread$CurrentProcess$AtomEnumFindFromGlobalParentPointPropRectWindows
String ID: (GE$0bE
API String ID: 349414421-3107333291
Opcode ID: 9cba7376279dbced43d6b9f0d37dc2accfc2e951a94ba58fb19c507ab4a9697b
Instruction ID: ae17b4ad0763dcafad620fef69102b15d0ee6fbcb9dfe3275e0567b889308847
Opcode Fuzzy Hash: 9cba7376279dbced43d6b9f0d37dc2accfc2e951a94ba58fb19c507ab4a9697b
Instruction Fuzzy Hash: 29513D70A002099FCB00DFA9C885AAEB7B4BB48345F10456AEC55EB393DB78DD49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0043682C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004368E8
CreateHalftonePalette.GDI32(00000000,00000000), ref: 004368F5
ReleaseDC.USER32 ref: 00436904
DeleteObject.GDI32(00000000), ref: 00436972

Strings

(, xrefs: 0043689F
dB, xrefs: 00436865

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateDeleteHalftoneObjectPaletteRelease
String ID: ($dB
API String ID: 577518360-404104738
Opcode ID: ed5a40e957989e5db676064f8f038284e2d75d5f3da43bad8518e490be35cdd0
Instruction ID: e5af28e37cbb7155dac159f6ba2d2ded8c8a3d7b18243e6f7da2e6a0b919c287
Opcode Fuzzy Hash: ed5a40e957989e5db676064f8f038284e2d75d5f3da43bad8518e490be35cdd0
Instruction Fuzzy Hash: FF41D7B0A04209EFDB04DFA5C445B9EFBF6EF4D308F1180AAE404A73A1D6785E45DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004A6F64, Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 004A6FA7
SetTextColor.GDI32(00000000,00000000), ref: 004A6FBF
DrawTextW.USER32(00000000,00000000,?,?,?), ref: 004A6FF5
GetSysColor.USER32(00000010), ref: 004A7009
SetTextColor.GDI32(00000000,00000000), ref: 004A7021
DrawTextW.USER32(?,00000000,?,?,?), ref: 004A7057
DrawTextW.USER32(?,00000000,?,?,?), ref: 004A708F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Text$Color$Draw
String ID:
API String ID: 2775849416-0
Opcode ID: fc2fa7a8644dc9eba060bbbfb44e4c79525fc061634a567f524af734156458fa
Instruction ID: 01b4ed0c867c6265f7320c1f1695f9e5371b593b58d257530a6a66c4cb13c165
Opcode Fuzzy Hash: fc2fa7a8644dc9eba060bbbfb44e4c79525fc061634a567f524af734156458fa
Instruction Fuzzy Hash: C2316475701104AFC740EF6EC889D9AB7F8AF48314F15817AF918DB3A2C674EE048B54

Uniqueness

Uniqueness Score: -1.00%

Function 004B209C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,?,?), ref: 004B20ED

Part of subcall function 0047BEA4: GetWindowTextW.USER32 ref: 0047BED3

Part of subcall function 00470BFC: GetCurrentThreadId.KERNEL32 ref: 00470C53
Part of subcall function 00470BFC: EnumThreadWindows.USER32(00000000,00470BAC,00000000), ref: 00470C59

Part of subcall function 0047BF28: SetWindowTextW.USER32(?,00000000), ref: 0047BF58

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004B2150
TranslateMessage.USER32(?), ref: 004B216E
DispatchMessageW.USER32 ref: 004B2177

Strings

[Paused] , xrefs: 004B212B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: b53d6765b66b1f017eb08fe7e4055ffc033c299ce5e7bd8edfe8a6a73743bae4
Instruction ID: f7876955be2cb41d1d2257ae62b8880ba0ac7922f68f73269f2cb01262406678
Opcode Fuzzy Hash: b53d6765b66b1f017eb08fe7e4055ffc033c299ce5e7bd8edfe8a6a73743bae4
Instruction Fuzzy Hash: 4D31B030904248AEDB11EBB9CD81BDE7BF8EB09304F5584A6F500E3291DBB89D04DB39

Uniqueness

Uniqueness Score: -1.00%

Function 0046D040, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 0041253C: GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00412612), ref: 0041257E
Part of subcall function 0041253C: GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125B3
Part of subcall function 0041253C: VerQueryValueW.VERSION(?,00412624,?,?,00000000,?,00000000,?,00000000,004125F5,?,00000000,?,00000000,00412612), ref: 004125CD

GetModuleHandleW.KERNEL32(comctl32.dll), ref: 0046D074

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

ImageList_Write.COMCTL32(00000000,?,00000000,0046D13A), ref: 0046D104

Strings

comctl32.dll, xrefs: 0046D06F
ImageList_WriteEx, xrefs: 0046D07F
0B, xrefs: 0046D0E0, 0046D115
comctl32.dll, xrefs: 0046D054

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
String ID: 0B$ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 4063495462-3856334682
Opcode ID: 32388cc35239ad664d79164a5932ec58d1806856dce9d4b4f864c00438ef53b6
Instruction ID: 5237d21f56526580522d95e3f5c22925f03333b92e4ddc9e0fac8314b13122c4
Opcode Fuzzy Hash: 32388cc35239ad664d79164a5932ec58d1806856dce9d4b4f864c00438ef53b6
Instruction Fuzzy Hash: 86216270F402009BEB14AF76DD95B6B36A8EB59708F50013AF401D73A2EB799C45DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004D8D84, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DB0
GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DC9
CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 004D8DF3
CloseHandle.KERNEL32(00000000), ref: 004D8E11

Strings

GetFinalPathNameByHandleW, xrefs: 004D8DA6
kernel32.dll, xrefs: 004D8DAB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileHandle$AttributesCloseCreateModule
String ID: GetFinalPathNameByHandleW$kernel32.dll
API String ID: 791737717-340263132
Opcode ID: 39dec38738e43aca1343b10a8f304e0354ed1cc44d45ac263c20267a07cc6bfd
Instruction ID: 6eba4a4fa280df9203778175666092d8d09e2161eb6eb13b461aa55ad8284538
Opcode Fuzzy Hash: 39dec38738e43aca1343b10a8f304e0354ed1cc44d45ac263c20267a07cc6bfd
Instruction Fuzzy Hash: 9611A1A17407083AE520316A4C97F7B228C8B5176CF14093FBB18EA3D3EDBD9C02466E

Uniqueness

Uniqueness Score: -1.00%

Function 0042DE14, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0042DE6C
GetSystemMetrics.USER32 ref: 0042DE81
GetSystemMetrics.USER32 ref: 0042DE8C
lstrcpyW.KERNEL32 ref: 0042DEB6

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(77400000,00000000), ref: 0042DA08

Strings

DISPLAY, xrefs: 0042DEAD
GetMonitorInfoA, xrefs: 0042DE2C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 0334af3791ca62d81c8f9f5ce90da1c1f0b011aef06e85ec219d068396a30baa
Instruction ID: e690db379b360be8035375c306f1954558621b1b4093ea6aaf1bcb1541f2fec9
Opcode Fuzzy Hash: 0334af3791ca62d81c8f9f5ce90da1c1f0b011aef06e85ec219d068396a30baa
Instruction Fuzzy Hash: 8211A231B01B249FD7209F60EC447ABB7A9FF25710F41492AE9569B280D7B4A8088765

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0042DF5C
GetSystemMetrics.USER32 ref: 0042DF71
GetSystemMetrics.USER32 ref: 0042DF7C
lstrcpyW.KERNEL32 ref: 0042DFA6

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(77400000,00000000), ref: 0042DA08

Strings

DISPLAY, xrefs: 0042DF9D
GetMonitorInfoW, xrefs: 0042DF1C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: 3e9f6e86240fb2a71e1c9de38d2c020a4f78943b31431b8fdbf65326cccb383b
Instruction ID: 84edf9fb7463b4be4b191504fda9a04e2f169d7f8fe1acd0c1031d1866ba9900
Opcode Fuzzy Hash: 3e9f6e86240fb2a71e1c9de38d2c020a4f78943b31431b8fdbf65326cccb383b
Instruction Fuzzy Hash: AB11D332B003249FD720DF60ED44BABB7A9EB05710F41452EF84697280E7B4A849CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00434340, Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004330E8: GetObjectW.GDI32(00000000,00000004,?,000000FF,00000000,00000018,00000000,0043464A,00000000,004347A0,?,00000000,00434A96,?,00000000,00000000), ref: 004330FF
Part of subcall function 004330E8: GetPaletteEntries.GDI32(00000000,00000000,?,00000028), ref: 00433122

GetDC.USER32(00000000), ref: 0043437E
CreateCompatibleDC.GDI32(?), ref: 0043438A
SelectObject.GDI32(?), ref: 00434397
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,004343EF,?,?,?,?,00000000), ref: 004343BB
SelectObject.GDI32(?,?), ref: 004343D5
DeleteDC.GDI32(?), ref: 004343DE
ReleaseDC.USER32 ref: 004343E9

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: 4cc14c19a4e107e091eca515082334aab6debb1a019eb6af870d7d8d2492fed7
Instruction ID: ac795cd6fd40d748ce50fe862934118e8cfa46c4ed00d813a7174b02b8df3c14
Opcode Fuzzy Hash: 4cc14c19a4e107e091eca515082334aab6debb1a019eb6af870d7d8d2492fed7
Instruction Fuzzy Hash: B3112771E442596BDB10DBE9C851AAEB3FCEB48704F40446AB904E7292D7799D408B64

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB6C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042AB97
PeekMessageW.USER32 ref: 0042ABC3
MsgWaitForMultipleObjects.USER32 ref: 0042ABD8
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0042AC05
GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0042AC10

Strings

<`P, xrefs: 0042AB9C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
String ID: <`P
API String ID: 1797888035-3701931957
Opcode ID: b0dbb5c64302547982bc86ceb098bf2d20eb860276425ec8a56e7f48cd3c05a2
Instruction ID: 7964f1d78324b9a64a1f92550013217c3c94e1c751d8d64debe9312779c8cfa5
Opcode Fuzzy Hash: b0dbb5c64302547982bc86ceb098bf2d20eb860276425ec8a56e7f48cd3c05a2
Instruction Fuzzy Hash: B011D3717403506BC610EB7ADCC2F5E37C8AB54714F90492AFA50E72D2D678EC44C74A

Uniqueness

Uniqueness Score: -1.00%

Function 00479CA8, Relevance: 10.6, APIs: 7, Instructions: 58threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00479CC3
WindowFromPoint.USER32(?,?), ref: 00479CD0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00479CDE
GetCurrentThreadId.KERNEL32 ref: 00479CE5
SendMessageW.USER32(00000000,00000084,00000000,00000000), ref: 00479D08
SendMessageW.USER32(00000000,00000020,00000000,?), ref: 00479D1A
SetCursor.USER32(00000000), ref: 00479D2C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: ff1185d674757ab3b9ef60e383ae3b7c63297c5a40e9b5ff030af99f3c7da1ce
Instruction ID: 97ca84ce4c1aebd87a25af4c1893583fe9b9bd09de5401689dcde1498ece8cf0
Opcode Fuzzy Hash: ff1185d674757ab3b9ef60e383ae3b7c63297c5a40e9b5ff030af99f3c7da1ce
Instruction Fuzzy Hash: 7E01B52220420166EA357A658D86FBF2768DFC1B54F50893BB948AA2C3D63DCC01527D

Uniqueness

Uniqueness Score: -1.00%

Function 004FAAD8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004FAAE9
SelectObject.GDI32(00000000,00000000), ref: 004FAB0B
GetTextExtentPointW.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004FB0E7), ref: 004FAB1F
GetTextMetricsW.GDI32(00000000,?,00000000,00000000,00000000,004FAB64,?,00000000,?,?,00000000), ref: 004FAB41
ReleaseDC.USER32 ref: 004FAB5E

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004FAB16

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Text$ExtentMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 844173074-222967699
Opcode ID: 8309e9a8a614fc4a65d7e0e1d7563ea021e4adc4a3ef1e4eb57e24d4c1d208bb
Instruction ID: eb33620f4a528fa46cfba91873aaab3ace2be4745cc87c30a72d5d013b15cb52
Opcode Fuzzy Hash: 8309e9a8a614fc4a65d7e0e1d7563ea021e4adc4a3ef1e4eb57e24d4c1d208bb
Instruction Fuzzy Hash: 1D0161B6B04248AFDB04DBE9CC41E6EB7FDDB48704F150476F604E3292D678AE108B28

Uniqueness

Uniqueness Score: -1.00%

Function 00445060, Relevance: 9.3, APIs: 6, Instructions: 312windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004450CB
GetTickCount.KERNEL32 ref: 004450F3
SendMessageW.USER32(00000000,0000014E,000000FF,00000000), ref: 004451F1
SendMessageW.USER32(00000000,00000142,00000000,?), ref: 00445242

Part of subcall function 00444FBC: SendMessageW.USER32(00000000,0000014E,000000FF,00000000), ref: 00445007
Part of subcall function 00444FBC: SendMessageW.USER32(00000000,00000142,00000000), ref: 00445038

PeekMessageW.USER32 ref: 0044539D
PeekMessageW.USER32 ref: 004453EB

Part of subcall function 00443CE8: SendMessageW.USER32(00000000,00000157,00000000,00000000), ref: 00443CFC

Part of subcall function 00443D0C: SendMessageW.USER32(00000000,0000014F,?,00000000), ref: 00443D28
Part of subcall function 00443D0C: InvalidateRect.USER32(00000000,000000FF,000000FF), ref: 00443D45

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Message$Send$CountPeekTick$InvalidateRect
String ID:
API String ID: 2065907832-0
Opcode ID: 413a88ad1878a4a916726fc25fbdda23806d470e8a9e4a9a7f728fc2962951be
Instruction ID: 4935a95f5f9f0fc0471dd3d68f2c1ed0c1230899b77a5c0847095f64fbc7b65c
Opcode Fuzzy Hash: 413a88ad1878a4a916726fc25fbdda23806d470e8a9e4a9a7f728fc2962951be
Instruction Fuzzy Hash: 2DC15530A005099BEF00DB95C985BEEB3B5EF44704F244567E401BB397D778AE46DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00473D2C, Relevance: 9.2, APIs: 6, Instructions: 151COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 00473DAB
GetClientRect.USER32 ref: 00473DD6
FillRect.USER32 ref: 00473DF2

Part of subcall function 00473CA0: CallWindowProcW.USER32(?,?,?,?,?), ref: 00473CDA

BeginPaint.USER32(?,?), ref: 00473E6A
GetWindowRect.USER32 ref: 00473E97
EndPaint.USER32(?,?,00473F0B), ref: 00473EF7

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 31e0336ac9df40e18d3f3e5590b23ee098a46afeb69cd1d759d11c5b4f15d55e
Instruction ID: ca1e829862746c5db6b822d3dd2261a5d717388067ea29d7ca048ef1004d51cb
Opcode Fuzzy Hash: 31e0336ac9df40e18d3f3e5590b23ee098a46afeb69cd1d759d11c5b4f15d55e
Instruction Fuzzy Hash: 9651E875E04208EFCB50DFA9C585ADEB7F8AB08315F14C5AAF418A7252D738AE41DF08

Uniqueness

Uniqueness Score: -1.00%

Function 0047658C, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431F94
Part of subcall function 00431F8C: LeaveCriticalSection.KERNEL32(0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FA1
Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(?,0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FAA

SaveDC.GDI32(?), ref: 004765D9
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00476654
GetStockObject.GDI32(00000004), ref: 00476673
FillRect.USER32 ref: 0047668C
RestoreDC.GDI32(?,?), ref: 00476702

Part of subcall function 004306C0: GetSysColor.USER32(00432508), ref: 004306CA

SetBkColor.GDI32(00000000,00000000), ref: 004766D7

Part of subcall function 00431E8C: FillRect.USER32 ref: 00431EB5

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CriticalRectSection$ColorEnterFill$ClipExcludeLeaveObjectRestoreSaveStock
String ID:
API String ID: 3001281481-0
Opcode ID: fb274842b96beccf00edb8ade7124585d61aa095127905ea40cd9983a34417fe
Instruction ID: d38e9cc01919466152279994463ad2aa3329fbbc8784a2f9831560b0bea4f07d
Opcode Fuzzy Hash: fb274842b96beccf00edb8ade7124585d61aa095127905ea40cd9983a34417fe
Instruction Fuzzy Hash: BB41EB74A00648EFDB01DFA9C599E9E77F9EB09304F5644A6F908E7352C738AE40DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0047BD0C, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,?,0047B69E,00000000,0047BBCE), ref: 0047BD2E
ShowWindow.USER32(00000000,00000009,?,?,?,0047B69E,00000000,0047BBCE), ref: 0047BD51
IsWindowEnabled.USER32(00000000), ref: 0047BD73
DefWindowProcW.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,0047B69E,00000000,0047BBCE), ref: 0047BD8F
SetWindowPos.USER32(?,00000000,00000000,?,?,0047B69E,00000000,0047BBCE), ref: 0047BDDB
SetFocus.USER32(00000000,?,?,?,0047B69E,00000000,0047BBCE), ref: 0047BE29

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$ActiveEnabledFocusProcShow
String ID:
API String ID: 2052594614-0
Opcode ID: c776db7653cb647fcec3bc3f45f5891b552631f38cd9643a39898c451eba3200
Instruction ID: fab05185431b8413c2fc7102413ebb46783b2fca6ec70f11421247304e3639a3
Opcode Fuzzy Hash: c776db7653cb647fcec3bc3f45f5891b552631f38cd9643a39898c451eba3200
Instruction Fuzzy Hash: 78310E706006409BEB21EA65CCC5BEA27A4EB04708F0884B6FE489F397D76DEC448799

Uniqueness

Uniqueness Score: -1.00%

Function 00433398, Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004333E6
GetSystemMetrics.USER32 ref: 004333F2
GetDC.USER32(00000000), ref: 0043340E
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00433435
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00433442
ReleaseDC.USER32 ref: 0043347B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: a8867e4a5af838ebc4450a2cdaea44e7b3695b17798a5065638d72f791061843
Instruction ID: 10a078c6cdb5354d6897092c75105f3ab4e8e976a14d47c5d0000f8528dc16b8
Opcode Fuzzy Hash: a8867e4a5af838ebc4450a2cdaea44e7b3695b17798a5065638d72f791061843
Instruction Fuzzy Hash: F4314370A00205EFEB01DF65C881AAEBBB5FF4D714F10816AF814AB395C6749D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004B8EF8, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,004B8FC3,?,?,?,00000000), ref: 004B8F62
SetLastError.KERNEL32(00000000,00000002,?,?,?,004B9064,?,00000000,004B8FC3,?,?,?,00000000), ref: 004B8FA1

Strings

USERS, xrefs: 004B8F54
MACHINE, xrefs: 004B8F45
CURRENT_USER, xrefs: 004B8F36
CLASSES_ROOT, xrefs: 004B8F27

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: 7a96acfe65d331c98d45180d0f3d443f2530f5def99249a89223065b1a1ceb58
Instruction ID: 7d268dca93ec31449704e8a19c303644d8c2d2922d5d103a8fa3f98022615f52
Opcode Fuzzy Hash: 7a96acfe65d331c98d45180d0f3d443f2530f5def99249a89223065b1a1ceb58
Instruction Fuzzy Hash: 1A115735214108AFDB00EEA5C991AFA72AEDB48344F61847F790562681DA7D9F01D63D

Uniqueness

Uniqueness Score: -1.00%

Function 004E06F4, Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004E0710
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,004FCA5D,00000000,004FD344), ref: 004E073F
GetWindowLongW.USER32(?,000000EC), ref: 004E0754
SetWindowLongW.USER32 ref: 004E077A
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 004E0793
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 004E07B4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: a0f7aed80030da84f220263879103cfce8548d19df31fb8f64e47b8ff7784545
Instruction ID: 8a5f4901f25ab44273ccf00b5fddc28949ca47e71d1d0f0a71335c51213cfc66
Opcode Fuzzy Hash: a0f7aed80030da84f220263879103cfce8548d19df31fb8f64e47b8ff7784545
Instruction Fuzzy Hash: 68115B76245700DFC711EB69D885F6633E8BB0E311F0902A5FA59DB3E2C279AC44AF05

Uniqueness

Uniqueness Score: -1.00%

Function 004337F8, Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004336A4: GetObjectW.GDI32(?,00000054), ref: 004336B8

CreateCompatibleDC.GDI32(00000000), ref: 0043381A
SelectPalette.GDI32(?,?,00000000), ref: 0043383B
RealizePalette.GDI32(?), ref: 00433847
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0043385E
SelectPalette.GDI32(?,00000000,00000000), ref: 00433886
DeleteDC.GDI32(?), ref: 0043388F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: ca1ad0e1d705ba8b8bed82ddb834e231bb7893c59d3197838cebd93a68417ee6
Instruction ID: 4d1df5edb735d3572491198842ef3abffef6956a9d40e7ee5c79762cb56d7417
Opcode Fuzzy Hash: ca1ad0e1d705ba8b8bed82ddb834e231bb7893c59d3197838cebd93a68417ee6
Instruction Fuzzy Hash: 2B114FB5A002047FDB15EEA98C86F5EB7FCAF4C714F14846AB514E7382D6789E008B68

Uniqueness

Uniqueness Score: -1.00%

Function 00433044, Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0043305D
SelectObject.GDI32(00000000,00000000), ref: 00433066
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00435C8F,?,?,?,?,004341AB), ref: 0043307A
SelectObject.GDI32(00000000,00000000), ref: 00433086
DeleteDC.GDI32(00000000), ref: 0043308C
CreatePalette.GDI32 ref: 004330D3

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 67d5b31ad8e59d643610846fb53b20dfdd137163830d16b6c4bb75eee91133d8
Instruction ID: 10a01b2ebcba3fabeb6ce51341f1d29352740cce8b21cf4feb015a9e797e61c7
Opcode Fuzzy Hash: 67d5b31ad8e59d643610846fb53b20dfdd137163830d16b6c4bb75eee91133d8
Instruction Fuzzy Hash: 0701846120434062D714A77A9C43B6B72F89FC4719F04982FB588A73D3E67D8D04835A

Uniqueness

Uniqueness Score: -1.00%

Function 00401B0C, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,00401ADA), ref: 00401BC3
Sleep.KERNEL32(0000000A,00000000,?,00401ADA), ref: 00401BD9
Sleep.KERNEL32(00000000,?,?,?,00401ADA), ref: 00401C07
Sleep.KERNEL32(0000000A,00000000,?,?,?,00401ADA), ref: 00401C1D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f2665f47995e0485457f0e2780245f5668f8ebccbaa697cd9a5133d53e961b81
Instruction ID: cbc8dfd461c6340acf1db927b4aa35f28c4891fc497053a84e4b188e38708ede
Opcode Fuzzy Hash: f2665f47995e0485457f0e2780245f5668f8ebccbaa697cd9a5133d53e961b81
Instruction Fuzzy Hash: 9FC146726002508BD725CF29DC8475ABBE0EB95320F18C27FE849AB3F5C778A855DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00442CA4, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00442CB0
GetTextMetricsW.GDI32(?,?,00000000,00442D1A,?,00000000), ref: 00442CCE
SelectObject.GDI32(?,00000000), ref: 00442CE3
GetTextMetricsW.GDI32(?,?,?,00000000,?,?,00000000,00442D1A,?,00000000), ref: 00442CF2
SelectObject.GDI32(?,00000000), ref: 00442CFC
ReleaseDC.USER32 ref: 00442D14

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MetricsObjectSelectText$Release
String ID:
API String ID: 833910088-0
Opcode ID: 7f87a21389f62ce39c7bf41f826f1dcedc2af86a124b712b142eea22f75adcfe
Instruction ID: ae0a2ff06e7428296a63baba77d0671b5a5cfc29f0e662262cfcf32d2c6841bd
Opcode Fuzzy Hash: 7f87a21389f62ce39c7bf41f826f1dcedc2af86a124b712b142eea22f75adcfe
Instruction Fuzzy Hash: 1401E575A04248BFDB41EBE9CC51E9EB7FCEB0C704F510566F504E3292D6789D008B28

Uniqueness

Uniqueness Score: -1.00%

Function 0043272C, Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0043170C: CreateBrushIndirect.GDI32(?), ref: 004317B7

UnrealizeObject.GDI32(00000000), ref: 00432738
SelectObject.GDI32(00000000,00000000), ref: 0043274A
SetBkColor.GDI32(00000000,00000000), ref: 0043276D
SetBkMode.GDI32(00000000,00000002), ref: 00432778
SetBkColor.GDI32(00000000,00000000), ref: 00432793
SetBkMode.GDI32(00000000,00000001), ref: 0043279E

Part of subcall function 004306C0: GetSysColor.USER32(00432508), ref: 004306CA

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 03dfce32e7b03e070807b2da7cbc7753c3f69c98b2c12908884259f7362c2824
Instruction ID: d924aaae57d6af534c2e3b3453abf267d643b0867a8777519658f73120764626
Opcode Fuzzy Hash: 03dfce32e7b03e070807b2da7cbc7753c3f69c98b2c12908884259f7362c2824
Instruction Fuzzy Hash: 19F06FB5600140ABDF00FFAAD9C7D077BA86F48309B085496B904DF1ABC669DC104B39

Uniqueness

Uniqueness Score: -1.00%

Function 004B2358, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 245windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004B23D5
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004B23FC
SetForegroundWindow.USER32(?,00000000,004B26E9,?,00000000,004B2727), ref: 004B240D
DefWindowProcW.USER32(00000000,?,?,?,00000000,004B26E9,?,00000000,004B2727), ref: 004B26D4

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 004B2550

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessagePostWindow$ForegroundProc
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 602442252-3182603685
Opcode ID: 8a3892ab6e1bc1161fe8d284de9cc0631bca2e18c070bc50293ad86dd8f0494d
Instruction ID: c0b2866982009758f5139b0b17c60d61db4cc145b66916fa1f5170bb4655b13e
Opcode Fuzzy Hash: 8a3892ab6e1bc1161fe8d284de9cc0631bca2e18c070bc50293ad86dd8f0494d
Instruction Fuzzy Hash: 4891B534604208AFEB15DF68D991F9ABBF5FB49700F1184A6F90497791CB78AD40DF28

Uniqueness

Uniqueness Score: -1.00%

Function 004B01B4, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 149registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004B035A,?,00000000,004B039A), ref: 004B029D

Strings

PendingFileRenameOperations2, xrefs: 004B0266
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004B0214
PendingFileRenameOperations, xrefs: 004B0230
WININIT.INI, xrefs: 004B02CC

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: ca9c49819cd285b2e52f0a0db85a83fe44ebc171eecbdd548ba0dc2b1512497e
Instruction ID: 8b2bf2004dcf31f50ce58d6375065bc2385e602e1d6443e39772af2abe95cc81
Opcode Fuzzy Hash: ca9c49819cd285b2e52f0a0db85a83fe44ebc171eecbdd548ba0dc2b1512497e
Instruction Fuzzy Hash: 33518630A042089FDB14DFA5D855ADFB7F8EB45304F5080BBE945E7391DB78AE05CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00458E44, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(0050B10C), ref: 00458E65
GetCursor.USER32(0050B10C), ref: 00458E81

Part of subcall function 00458034: SetCapture.USER32(00000000,Function_000581D8,00000000,?,00458E95,0050B10C), ref: 00458043

GetDesktopWindow.USER32 ref: 00458F73

Strings

(GE, xrefs: 00458EA2
X~E, xrefs: 00458F8C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Cursor$CaptureDesktopWindow
String ID: (GE$X~E
API String ID: 669539147-428204910
Opcode ID: 50a98c42ccfaf7ce6c9f9f2f6211b075bf0ad58f6d5024f54c47543e506a07f1
Instruction ID: a2272b759aad7807cea790850517ee59c322f9e46e9b8c95fbcb818153eaeef1
Opcode Fuzzy Hash: 50a98c42ccfaf7ce6c9f9f2f6211b075bf0ad58f6d5024f54c47543e506a07f1
Instruction Fuzzy Hash: 8241B0716142008FD304DF29E8A86197BE2FB9D311F19C66EE8499B362CF74D849DF89

Uniqueness

Uniqueness Score: -1.00%

Function 004FDAD4, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 0047BF28: SetWindowTextW.USER32(?,00000000), ref: 0047BF58

ShowWindow.USER32(?,00000005,00000000,004FDD8E,?,?,00000000,?), ref: 004FDB1A

Part of subcall function 0047F740: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047F753

Part of subcall function 0040DD04: SetCurrentDirectoryW.KERNEL32(00000000,?,004FDB42,00000000,004FDD55,?,?,00000005,00000000,004FDD8E,?,?,00000000,?), ref: 0040DD0F

Part of subcall function 0047F29C: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,0047F333,?,?,?,00000001,?,004B0D32,00000000,004B0D9F), ref: 0047F2D1

Strings

.msg, xrefs: 004FDB80
IMsg, xrefs: 004FDBEE
.dat, xrefs: 004FDB61
Uninstall, xrefs: 004FDB00

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 3464bb1b5a40a5836e3aea9abb12710a14251260c2e8292266821b53fe59e360
Instruction ID: 16bd99ad4d4e2e742343a168082ca7933a37df857d856ee64ba0d307e459f67d
Opcode Fuzzy Hash: 3464bb1b5a40a5836e3aea9abb12710a14251260c2e8292266821b53fe59e360
Instruction Fuzzy Hash: 6F416234A002089FC700EF65CD529AF7BF6FB4A704F50856AFA00A7362DB39AD05DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00452BD4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00452C55
SetMenuItemInfoW.USER32 ref: 00452CAD
DrawMenuBar.USER32(00000000,00000000,00000000,000000FF,00000030,00000000,00000000,000000FF,00000030,00000000,00452CCD,?,?,?,004533E5,00453418), ref: 00452CBA

Strings

P, xrefs: 00452C0A
,, xrefs: 00452C2E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: ,$P
API String ID: 3227129158-1419105988
Opcode ID: 3fa19f8121811a9806d3dd80a45565aa98cbb13ca63ba6c3ad358118ffbea68b
Instruction ID: 0be6e2b87da41e439f41ba10be101996003373bbd41e1ea7d0ab9d8ac663d510
Opcode Fuzzy Hash: 3fa19f8121811a9806d3dd80a45565aa98cbb13ca63ba6c3ad358118ffbea68b
Instruction Fuzzy Hash: FD210330A002089FDB12DF68DD80B9E77B8EB06315F504167F800E7383D7B88848CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004526E0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameW.USER32(00000000), ref: 0045270A

Part of subcall function 0042E85C: RegCloseKey.ADVAPI32(10AC0000,0042E6D8,00000001,0042E7DA,?,?,0043740E,00000008,00000060,00000048,00000000,004374AE), ref: 0042E870

Part of subcall function 0042E8C0: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0042EA71), ref: 0042E939

Part of subcall function 00413C38: SetErrorMode.KERNEL32(00008000,?), ref: 00413C42
Part of subcall function 00413C38: LoadLibraryW.KERNEL32(00000000,00000000,00413C8C,?,00000000,00413CAA,?,00008000,?), ref: 00413C71

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

FreeLibrary.KERNEL32(?,004527D9,?,00000000,00452819), ref: 004527CC

Strings

KbdLayerDescriptor, xrefs: 00452796
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 0045274F
Layout File, xrefs: 0045276B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3365787578-2194312379
Opcode ID: 81f33ccf6b2b4c512f2a48c87c65e5ff407c6647dfe4936c3518e3706cf01b58
Instruction ID: 6a67a1bf7eaac59bab48e2940c1a7806e22ced5ed4176676752f73896576dce2
Opcode Fuzzy Hash: 81f33ccf6b2b4c512f2a48c87c65e5ff407c6647dfe4936c3518e3706cf01b58
Instruction Fuzzy Hash: C031BF35A00208AFCB01EFA2D9519DDB7F5FB89704B61847BE800B7692D77D9D49CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004B1EA0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 004B1EBA
SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 004B1F57

Strings

l?P, xrefs: 004B1F2F
Failed to create DebugClientWnd, xrefs: 004B1F20
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 004B1EE6

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$l?P
API String ID: 3850602802-850641457
Opcode ID: 63bb1d2395ae499cde3c56a8d72870e6e6202399f16402b5a2e457f3059e368f
Instruction ID: 5cb4ff35a8ed3dae1f69dde1b4f306a5bded618f166fc975eee933eb53613759
Opcode Fuzzy Hash: 63bb1d2395ae499cde3c56a8d72870e6e6202399f16402b5a2e457f3059e368f
Instruction Fuzzy Hash: E81127B06043429FF710AB28DC91B9F37D4AB55318F40442AFA84CB3A2D7B88C04C77A

Uniqueness

Uniqueness Score: -1.00%

Function 0047D228, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 0047D23C
GetWindowLongW.USER32(00000000,000000EC), ref: 0047D27E
SetWindowLongW.USER32 ref: 0047D28F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,-00000001,00000000,?,0047D349,?,?,?,00000000), ref: 0047D2B7

Strings

<*G, xrefs: 0047D22F, 0047D257, 0047D2AA, 0047D271, 0047D28B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Long$Visible
String ID: <*G
API String ID: 2967648141-1440996861
Opcode ID: b93ad06817a46b1853e4508348062faf2b4d6efccd7daebd0d5d7e1855421084
Instruction ID: 74c0ac49814f6f16f5a16242ba7835f76b82a1a36174a1016be96195002fb6ca
Opcode Fuzzy Hash: b93ad06817a46b1853e4508348062faf2b4d6efccd7daebd0d5d7e1855421084
Instruction Fuzzy Hash: 0B118231625654AFDB01DB68D848EE93BE8AB09354F0441A2F988CB3A2C239DD45C759

Uniqueness

Uniqueness Score: -1.00%

Function 00437B74, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00437B91
FindWindowExW.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 00437BC2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00437BFB
GetCurrentThreadId.KERNEL32 ref: 00437C02

Part of subcall function 00408F00: TlsGetValue.KERNEL32(00000000,00000000,004030E2,00000002,00405109,?,?,?,00000002,004051BA,00403127,0040316E,?,00000000,?,?), ref: 00408F25

Strings

OleMainThreadWndClass, xrefs: 00437BBB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Thread$CurrentFindProcessValue
String ID: OleMainThreadWndClass
API String ID: 973455579-3883841218
Opcode ID: 5e3ccd101e70d3618eff460caa60f350d32bac3868aa960d117afcd6dd1e0979
Instruction ID: 064da7baf21e2bf68efade22880305532465f4092da10b4225a5c616f990ceb8
Opcode Fuzzy Hash: 5e3ccd101e70d3618eff460caa60f350d32bac3868aa960d117afcd6dd1e0979
Instruction Fuzzy Hash: 7A0125711045059EC731AB758989BAA32A59F4435CF0510BFF784AB2E7DE3C5C009AAA

Uniqueness

Uniqueness Score: -1.00%

Function 00403E68, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403E8A
RegQueryValueExW.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403ED9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403EBD
RegCloseKey.ADVAPI32(?,00403EE0,00000000,?,00000004,00000000,00403ED9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403ED3

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 00403E80
FPUMaskValue, xrefs: 00403EB4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 62e2baba4de9b5733a28aa2b8a1bcec69969672daae366b5d7575531065afb93
Instruction ID: 36a595a1fcb2064f1e6e4326d6c42b9745205ffc86cbc8c738bdc25c469eb9e4
Opcode Fuzzy Hash: 62e2baba4de9b5733a28aa2b8a1bcec69969672daae366b5d7575531065afb93
Instruction Fuzzy Hash: AC015275A40308BAE711DF91CD46BBE77ECD708B01F600177BA04E65D0E6796A14D698

Uniqueness

Uniqueness Score: -1.00%

Function 004B2F50, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 004B2F82
GetExitCodeProcess.KERNEL32 ref: 004B2FA5
CloseHandle.KERNEL32(?,004B2FD8,00000001,00000000,000000FF,000000FF,00000000,004B2FD1), ref: 004B2FCB

Strings

GetExitCodeProcess, xrefs: 004B2FAE
MsgWaitForMultipleObjects, xrefs: 004B2F91

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 9f3ce1f9fd9cf2df3c66eb57862ff3480c3794f4d4b5606ab1317d86ece25759
Instruction ID: f9c96adb5db76e043f36f85f413a9ba826dccd1782af7b4d783150c9fdb694e0
Opcode Fuzzy Hash: 9f3ce1f9fd9cf2df3c66eb57862ff3480c3794f4d4b5606ab1317d86ece25759
Instruction Fuzzy Hash: 7D018430604204AFDB21EBA9CD41AAE73B8EB4A724F504576F910D77D1D6B89D40E629

Uniqueness

Uniqueness Score: -1.00%

Function 004AE821, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000020), ref: 004AE82E
DeleteFileW.KERNEL32(00000000,00000000,00000020), ref: 004AE83C
MoveFileW.KERNEL32(00000000,00000000), ref: 004AE85F

Part of subcall function 004ADC34: GetLastError.KERNEL32(00000000,004AE8EE,00000005,00000000,004AE916,?,?,00000000,0050B17C,00000000,00000000,00000000,?,004FE26B,00000000,004FE286), ref: 004ADC37

Strings

DeleteFile, xrefs: 004AE84B
MoveFile, xrefs: 004AE868

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: 67a93e20512ab7d3c48e5b2d7634e6a2ee4abb9aead1ef70966b2b708f0bba7f
Instruction ID: a14352d00bb1c26c699235b1054e29f78f0f7873118da63199c57f037ee0bb5e
Opcode Fuzzy Hash: 67a93e20512ab7d3c48e5b2d7634e6a2ee4abb9aead1ef70966b2b708f0bba7f
Instruction Fuzzy Hash: F5F08171A182058ADB00FBB7984266E62D8EB6630CF61443BB415E36C3DA3DDC11822D

Uniqueness

Uniqueness Score: -1.00%

Function 00406F50, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,0040DD01,004D94A0,00000000,004D957C,?,00000000,004D959E), ref: 00406F87
SetCurrentDirectoryW.KERNEL32(?,00000105,?,?,?,0040DD01,004D94A0,00000000,004D957C,?,00000000,004D959E), ref: 00406F8D
GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,0040DD01,004D94A0,00000000,004D957C,?,00000000,004D959E), ref: 00406F9C
SetCurrentDirectoryW.KERNEL32(?,00000105,?,?,?,0040DD01,004D94A0,00000000,004D957C,?,00000000,004D959E), ref: 00406FAD

Strings

:, xrefs: 00406F6C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 1f1dfc061f7ce5fba94a525a68724fe0d7d7d2d3a1c0c8f4a9b96ff4fc67da8a
Instruction ID: 2a2578a9873e554637340ad988b15cacb881584caf9c4433a20746dd45dae6f2
Opcode Fuzzy Hash: 1f1dfc061f7ce5fba94a525a68724fe0d7d7d2d3a1c0c8f4a9b96ff4fc67da8a
Instruction Fuzzy Hash: D8F024751403416AD310E7A08892AEB73DCEF44308F00883FBAC8D72E1E77C8958836B

Uniqueness

Uniqueness Score: -1.00%

Function 004809D8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00503F6C,004B1F3E,004B2358,004B1E94,00000000,00000B06,00000000,00000000), ref: 004809F1

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

InterlockedExchange.KERNEL32(0050B1B0,00000001), ref: 00480A08

Part of subcall function 00480944: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,00480A2C,00000004,00503F6C,004B1F3E,004B2358,004B1E94,00000000,00000B06,00000000,00000000), ref: 0048095A
Part of subcall function 00480944: InterlockedExchange.KERNEL32(0050B1A8,00000001), ref: 00480971

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00503F6C,004B1F3E,004B2358,004B1E94,00000000,00000B06,00000000,00000000), ref: 00480A1C

Strings

user32.dll, xrefs: 004809EC
ChangeWindowMessageFilterEx, xrefs: 004809E7

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ExchangeHandleInterlockedModule$AddressChangeFilterMessageProcWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 203963768-2676053874
Opcode ID: c25bf230996ddfe7fde163834d50b520b5fde32b4ade4cb83102c35b07176e3b
Instruction ID: fed4213dc60b6a53fb0c0dc2d18e3eb25aa48b0ac894b788902a48676d7ec295
Opcode Fuzzy Hash: c25bf230996ddfe7fde163834d50b520b5fde32b4ade4cb83102c35b07176e3b
Instruction Fuzzy Hash: 02E092717613146AF65477B56CDAF9E22689BA4719F10483BF100A12D3D3BD0C48D35C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D4FC, Relevance: 7.8, APIs: 5, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bc276161b077b3f35d4ec6113939ce3098cb1e782e101673e1e12522c82151
Instruction ID: b8cf1d3c093d4cfb9e422b9652eec8a78842bacad82b6ae9f5ec372978fd3a80
Opcode Fuzzy Hash: f1bc276161b077b3f35d4ec6113939ce3098cb1e782e101673e1e12522c82151
Instruction Fuzzy Hash: 85D1C3B5E00109EFCB00EF95C4819FEBBB6EF48314F5540A7E840A7251D738AE86DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFE0, Relevance: 7.8, APIs: 5, Instructions: 271COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0041C04C
VariantInit.OLEAUT32(?), ref: 0041C162

Part of subcall function 0041EE80: EnterCriticalSection.KERNEL32(0050AE44,?,?,?,?,?,0041691B,?,?,?,0041694E,00416956), ref: 0041EEB6
Part of subcall function 0041EE80: LeaveCriticalSection.KERNEL32(0050AE44,0041EF2F,?,0050AE44,?,?,?,?,?,0041691B,?,?,?,0041694E,00416956), ref: 0041EF22

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CriticalInitSectionVariant$EnterLeave
String ID:
API String ID: 2777075435-0
Opcode ID: 53dd09b0cad621a136c1de240b1c8459001efe9715668e8e97f2a87584f8e984
Instruction ID: b2ae744d9f93c07f62625e8640f866979ea6ac032e732234d17a511dae6f89f1
Opcode Fuzzy Hash: 53dd09b0cad621a136c1de240b1c8459001efe9715668e8e97f2a87584f8e984
Instruction Fuzzy Hash: 3AB12835A40208EFCB00EFA5C9C18EDB7B5EF49714F9144A6F804A7251D738AE86DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00472CF4, Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 00472DC7
MulDiv.KERNEL32(?,00000000,00000000), ref: 00472E56
MulDiv.KERNEL32(?,00000000,00000000), ref: 00472E85
MulDiv.KERNEL32(?,00000000,00000000), ref: 00472EB4
MulDiv.KERNEL32(?,00000000,00000000), ref: 00472ED7

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2197b12eedfb51950ab1bc656f6f1be6f3e913ff71d99cb144d58ea26ebec8c4
Instruction ID: e3bef70ded846c04862a87e0df29dfab198a40cc4286244209955e0b984a1145
Opcode Fuzzy Hash: 2197b12eedfb51950ab1bc656f6f1be6f3e913ff71d99cb144d58ea26ebec8c4
Instruction Fuzzy Hash: 3781C734A00148EFDB04DB99C689E9EB7F5BB48304F2581F5E808DB362DB74AE44EB44

Uniqueness

Uniqueness Score: -1.00%

Function 0046A0B0, Relevance: 7.7, APIs: 5, Instructions: 178COMMON

Download Yara Rule

APIs

Part of subcall function 00431E8C: FillRect.USER32 ref: 00431EB5

CreateRectRgn.GDI32(?,?,?,?), ref: 0046A11C
SelectObject.GDI32(00000000,?), ref: 0046A137

Part of subcall function 0043170C: CreateBrushIndirect.GDI32(?), ref: 004317B7

FrameRgn.GDI32(00000000,?,00000000,00000001,00000001), ref: 0046A189
SelectObject.GDI32(00000000,?), ref: 0046A2C9
DeleteObject.GDI32(?), ref: 0046A2D2

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Object$CreateRectSelect$BrushDeleteFillFrameIndirect
String ID:
API String ID: 3847799725-0
Opcode ID: 7624949f4bee1d9fbf7e1313e49e8b7fcdeebbb2a4a8f6aed500fb80bf5d33c4
Instruction ID: bf6ecd47775ece5d0b767befde189b2c173e02802fb0a6363b6c4df03a31015e
Opcode Fuzzy Hash: 7624949f4bee1d9fbf7e1313e49e8b7fcdeebbb2a4a8f6aed500fb80bf5d33c4
Instruction Fuzzy Hash: CD71B435A0050AEFCB00DFA9C985EDEB3F9BF09304F1140A6F914AB262D775AE06DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004251C4, Relevance: 7.6, APIs: 5, Instructions: 142COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,00425366), ref: 00425224
CharNextW.USER32(?,?,00000000,00425366), ref: 004252CC
CharNextW.USER32(?,?,00000000,00425366), ref: 004252F1
CharNextW.USER32(00000000,?,?,00000000,00425366), ref: 00425309

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 8c70209c64ea5f4b1fefbd18c905afcb8817ef95ff3678df491eb711504daece
Instruction ID: 039948a37cc9e478bb089503868b010f7a8e31320ffe479a416377353a365109
Opcode Fuzzy Hash: 8c70209c64ea5f4b1fefbd18c905afcb8817ef95ff3678df491eb711504daece
Instruction Fuzzy Hash: F8515C30B04A24DFCF11EFA9E480A5977B1EF06354F8111E6E801DB3A5DB78AE81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00460EBC, Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00460EE7
SaveDC.GDI32(00000000), ref: 00460F20
ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,00460FDE,?,00000000,0046101B), ref: 00460FA2
RestoreDC.GDI32(00000000,?), ref: 00460FD8
EndPaint.USER32(00000000,?,00461022), ref: 00461015

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: af9f1a8401d38bfd6883625a2123b92d566b98a576f3a69a0e993ffc0c0bdfe0
Instruction ID: 826c0ccb743ca4c6f701f426c5c07c7349eaa674ccdd9abd436e2e436901cf3c
Opcode Fuzzy Hash: af9f1a8401d38bfd6883625a2123b92d566b98a576f3a69a0e993ffc0c0bdfe0
Instruction Fuzzy Hash: D2414170A042489FDB18CF98C555FAFB7F4FB48304F1544AAE944973A2E7B99D40CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00471AA8, Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471AE6
FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471B17
FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471B48
FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471B79
FlatSB_SetScrollProp.COMCTL32(00000000,?,00000000,00000000,00000000,00000001,?,00000000,?,00000000,?,00471C5D,?,?,?,?), ref: 00471BA7

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FlatPropScroll
String ID:
API String ID: 3625857538-0
Opcode ID: 7025696679e20e813f48477b34f506e8f3d64abe4bd871a10f53aaffbcb3a6cd
Instruction ID: 8a1a06fec9130dbae4499fe5a78f0dd192bb88b1e33e491d0ebb219a8291d13c
Opcode Fuzzy Hash: 7025696679e20e813f48477b34f506e8f3d64abe4bd871a10f53aaffbcb3a6cd
Instruction Fuzzy Hash: F831E2706000949FD750DF9ED882F1577E8AF2D309B15089AF288DB362D73AEE64DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00437C48, Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00437B74: IsWindow.USER32(?), ref: 00437B91
Part of subcall function 00437B74: FindWindowExW.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 00437BC2
Part of subcall function 00437B74: GetWindowThreadProcessId.USER32(?,00000000), ref: 00437BFB
Part of subcall function 00437B74: GetCurrentThreadId.KERNEL32 ref: 00437C02

MsgWaitForMultipleObjectsEx.USER32 ref: 00437C76
PeekMessageW.USER32 ref: 00437C91
TranslateMessage.USER32(?), ref: 00437C9E
DispatchMessageW.USER32 ref: 00437CA7
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 00437CD3

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MessageWindow$MultipleObjectsThreadWait$CurrentDispatchFindPeekProcessTranslate
String ID:
API String ID: 2725875890-0
Opcode ID: 4aecd409cfa6e0a08a5501d90ae5e2fd6f5d4d66a20cc5aa769dfc03c859264a
Instruction ID: c649e18c8a116dec4ff50d37cf8d0e9faa0789f1046b021f66ae5d3603fb60d5
Opcode Fuzzy Hash: 4aecd409cfa6e0a08a5501d90ae5e2fd6f5d4d66a20cc5aa769dfc03c859264a
Instruction Fuzzy Hash: 6221B8B1604209ABEB20DEA4CCC5FAF73A8EB0D310F10553AFA45D7281D67DDD4087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044E254, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0389341839b713f552b0060847668c986b048af33998209091a73a8017c9c40e
Instruction ID: 30c546c28b0b3f10370e633a50cd866ef923edf63333ce4bf924fae17ea87c24
Opcode Fuzzy Hash: 0389341839b713f552b0060847668c986b048af33998209091a73a8017c9c40e
Instruction Fuzzy Hash: 6211A220B447495AFB216F3B8805B6BA798BF51749F04416FBC819B383CBBDDC06869D

Uniqueness

Uniqueness Score: -1.00%

Function 00435C44, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00435C9A
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00435CAF
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00435CB9
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004341AB,00000000,00434237), ref: 00435CDD
ReleaseDC.USER32 ref: 00435CE8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: 1fb7bcc4418045507bcbef6190e711986303ca9f2eda62e36956f3bc8fc0846a
Instruction ID: 79c8f7aab788e8a915c0d4527913d293c6a33452246558e417e50af7672ca098
Opcode Fuzzy Hash: 1fb7bcc4418045507bcbef6190e711986303ca9f2eda62e36956f3bc8fc0846a
Instruction Fuzzy Hash: 0211AF21600B999ADB20AF2589457AB37D0AB08759F00312BFC409A6D2D7B88D90C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00432FAC, Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00432FC4
GetDeviceCaps.GDI32(?,00000068), ref: 00432FE0
GetPaletteEntries.GDI32(4B080B07,00000000,00000008,?), ref: 00432FF8
GetPaletteEntries.GDI32(4B080B07,00000008,00000008,?), ref: 00433010
ReleaseDC.USER32 ref: 0043302C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: e7a1ce26c815af519e51ed66510900fe43fe160fd3092e6ea61e0ec364eea3f2
Instruction ID: a56531118d9863fb10815c96dd6a611ba491c04187801057ef52dd939134cfbc
Opcode Fuzzy Hash: e7a1ce26c815af519e51ed66510900fe43fe160fd3092e6ea61e0ec364eea3f2
Instruction Fuzzy Hash: A7116B715483407EFB04CFA9CC42F6E77ACE748718F10806BF140DA1C2C97A5904C725

Uniqueness

Uniqueness Score: -1.00%

Function 0041124C, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,004112E3,?,?,00000000), ref: 00411264

Part of subcall function 00410FC0: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00410FDE

GetThreadLocale.KERNEL32(00000000,00000004,00000000,004112E3,?,?,00000000), ref: 00411294
EnumCalendarInfoW.KERNEL32(Function_00011198,00000000,00000000,00000004,00000000,004112E3,?,?,00000000), ref: 0041129F
GetThreadLocale.KERNEL32(00000000,00000003,Function_00011198,00000000,00000000,00000004,00000000,004112E3,?,?,00000000), ref: 004112BD
EnumCalendarInfoW.KERNEL32(Function_000111D4,00000000,00000000,00000003,Function_00011198,00000000,00000000,00000004,00000000,004112E3,?,?,00000000), ref: 004112C8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: c03cbbab021a088dcf241721cd7fa43820a36a10f1099d416169162be8708c08
Instruction ID: 71e337b8903215346f0d11bd996a580e686b1bae27cfd0822ec513da61ab7c51
Opcode Fuzzy Hash: c03cbbab021a088dcf241721cd7fa43820a36a10f1099d416169162be8708c08
Instruction Fuzzy Hash: E101F7716041087BE701E7A5CC13FAE7258DB46718F6105B7FA00F66E5DA7C9E4182AC

Uniqueness

Uniqueness Score: -1.00%

Function 0047A614, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0047A623
SetEvent.KERNEL32(00000000,0047D5B6,00000000,0047C13F,?,00000000,?,00000001,0047C345,?,00000000,00000200,0000020A,00000001), ref: 0047A63E
GetCurrentThreadId.KERNEL32 ref: 0047A643
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0047D5B6,00000000,0047C13F,?,00000000,?,00000001,0047C345,?,00000000,00000200,0000020A,00000001), ref: 0047A658
CloseHandle.KERNEL32(00000000,00000000,0047D5B6,00000000,0047C13F,?,00000000,?,00000001,0047C345,?,00000000,00000200,0000020A,00000001), ref: 0047A663

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: f539b978b370090098519c0908445b912ef1f24d90955e0ce02e39dc3564386f
Instruction ID: fdb1547cf2729da18b8a49f4eb24dcedda4dc54bb5e6cab3409386dad74de87f
Opcode Fuzzy Hash: f539b978b370090098519c0908445b912ef1f24d90955e0ce02e39dc3564386f
Instruction Fuzzy Hash: B9F03071511280DAF710EBB9ECDAA4E33A8A365304F08492AB318E32E1C7389858EB15

Uniqueness

Uniqueness Score: -1.00%

Function 0040D850, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 249shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameW.MPR(00000000,00000001,?,00000400), ref: 0040D8C0
WNetOpenEnumW.MPR(00000001,00000001,00000000,00000000,?), ref: 0040D9C6
WNetEnumResourceW.MPR(?,FFFFFFFF,?,?), ref: 0040DA1E

Strings

Z, xrefs: 0040D921

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 73dab4456253812b7359efbba28692fbe416c6847636f4448538d0e4d2fe57dc
Instruction ID: 190c6ed948e2d57fd130db97bf6bd7a8798f98241d9fad51eb2170363c6e3541
Opcode Fuzzy Hash: 73dab4456253812b7359efbba28692fbe416c6847636f4448538d0e4d2fe57dc
Instruction Fuzzy Hash: B1A14C70E00209DBCF10EFA9C941AEEB7B5EF48304F11417AE401B7295D778AE89DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411300, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,00411533,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041133B

Part of subcall function 00410FC0: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00410FDE

Strings

ggg, xrefs: 0041145A
eeee, xrefs: 00411486
yyyy, xrefs: 0041146A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 8e6b5ccbfcd17d1edf2c889ba857530c577b4f58f79652f87ebcdea3edc29d36
Instruction ID: bc785bebb976542844e4eff0edc208da79edf864bec7e6377600377858c166f1
Opcode Fuzzy Hash: 8e6b5ccbfcd17d1edf2c889ba857530c577b4f58f79652f87ebcdea3edc29d36
Instruction Fuzzy Hash: 7651A931B001099BDB10EB69C5829EEB3B6DF80304B20847BEA12A73B5D73CDD96965D

Uniqueness

Uniqueness Score: -1.00%

Function 0045BF8C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32 ref: 0045BFE9
MapWindowPoints.USER32 ref: 0045C0DD
MapWindowPoints.USER32 ref: 0045C126

Strings

(GE, xrefs: 0045C096

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: PointsWindow
String ID: (GE
API String ID: 4123100037-1888592535
Opcode ID: f37d1f72787db808f35fa24298b6e108e85ad11375b467999a55a3b5d7d28386
Instruction ID: 97c814bbe45b7fcbcbe4479e4f05c2b1f47d317204f8357dcc3fe63b2ad2badf
Opcode Fuzzy Hash: f37d1f72787db808f35fa24298b6e108e85ad11375b467999a55a3b5d7d28386
Instruction Fuzzy Hash: D8514F71A002089FCB10DFA9D881ADEB7F5AF49705F1441AAED04FB392D7799E08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004A6D98, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 004A6E25
DrawTextW.USER32(00000000,00000000,?,?,00000D20), ref: 004A6E5A
DrawTextW.USER32(?,00000000,?,00000000,00000800), ref: 004A6EEC

Strings

, xrefs: 004A6E0A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: a2ae6765dd0d0f12910ae12e7e76923114d7d8dc6f844ee9027fcbded5def904
Instruction ID: e781b6c8f7d3cf36b22da044480c0b30d82e40f8a015fbb439d0d9c2a877b3a4
Opcode Fuzzy Hash: a2ae6765dd0d0f12910ae12e7e76923114d7d8dc6f844ee9027fcbded5def904
Instruction Fuzzy Hash: D5519071A002089FDB10CFA9C8857EEBBF5FF59314F19447AE805A7252C778AA44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004B0A78, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,00000000,004B0BC1), ref: 004B0AB1

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

GetDiskFreeSpaceExW, xrefs: 004B0AA7
kernel32.dll, xrefs: 004B0AAC

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: c1e043c8253ff10d34c1658abe8dd9afdccb6a116e6bfe2e6d288f93909a21b2
Instruction ID: f17c09da845011f287a1b8d983794b1e0dfa65d8092af23d93cb9f6b5e720b4e
Opcode Fuzzy Hash: c1e043c8253ff10d34c1658abe8dd9afdccb6a116e6bfe2e6d288f93909a21b2
Instruction Fuzzy Hash: 38415171A04248AFCB01DFE6D882DDFBBB8EF49308F51896BF404B3251D6386905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00481014, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0048103E
SelectObject.GDI32(?,00000000), ref: 00481061
ReleaseDC.USER32 ref: 00481147

Strings

...\, xrefs: 004810F9

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ObjectReleaseSelect
String ID: ...\
API String ID: 1831053106-983595016
Opcode ID: dc94da87de19fab721221be243ba54b8e0c0972d4159a55adf79ecba08b9e71a
Instruction ID: 10013f02066f25e396424dd740e50138a856e717a50cd59f53b173ec13ea6c44
Opcode Fuzzy Hash: dc94da87de19fab721221be243ba54b8e0c0972d4159a55adf79ecba08b9e71a
Instruction Fuzzy Hash: FF315530A00148AFDF10EB9AC885B9EB7F9EF49304F1144BBF504A76A1D7789E45C759

Uniqueness

Uniqueness Score: -1.00%

Function 004AE0F8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,004AE233), ref: 004AE1E3
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,004AE233), ref: 004AE1F3

Strings

.tmp, xrefs: 004AE197
_iu, xrefs: 004AE185

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 1fb0130c8018adbad86fbbcf984e1c9db90b030fd297327605ff3679ce16548d
Instruction ID: 1141767e252206f58913cfb5af5e94aeabfa58095550552472d484252e88840d
Opcode Fuzzy Hash: 1fb0130c8018adbad86fbbcf984e1c9db90b030fd297327605ff3679ce16548d
Instruction Fuzzy Hash: 3131C630E00259ABDB10EBA6C842BDEB7B4EF55308F1041AAF910773C1D73C6E018B69

Uniqueness

Uniqueness Score: -1.00%

Function 0047CF74, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103timethreadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047CEE8: GetCursorPos.USER32 ref: 0047CEEF

SetTimer.USER32(00000000,00000000,503B0C55,00000000), ref: 0047D05F
GetCurrentThreadId.KERNEL32 ref: 0047D099
WaitMessage.USER32(00000000,0047D0DD,?,?,?,00000000), ref: 0047D0BD

Strings

<`P, xrefs: 0047D09E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CurrentCursorMessageThreadTimerWait
String ID: <`P
API String ID: 3909455694-3701931957
Opcode ID: f4f70071beb7e4e95dcf0a27aaed517e70c5bce775cc2c211ce9530fabb15181
Instruction ID: 8a2324f82086e794841398e0f77df9182ed64bd59ce6e2c4afa8b3a25305f202
Opcode Fuzzy Hash: f4f70071beb7e4e95dcf0a27aaed517e70c5bce775cc2c211ce9530fabb15181
Instruction Fuzzy Hash: EB418C70A14284DFEB11DB64C996BDE77F5EF05308F5080AAE40897291C378AE05DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004FE0BC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,004FE1BC,?,?,00000000,0050B17C,004FE609,?,00000000,00000000,00000000,004FE639,?,?), ref: 004FE12E
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,004FE1BC,?,?,00000000,0050B17C,004FE609,?,00000000,00000000,00000000,004FE639), ref: 004FE157
MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,004FE1BC,?,?,00000000,0050B17C,004FE609,?,00000000,00000000,00000000), ref: 004FE170

Strings

isRS-%.3u.tmp, xrefs: 004FE10D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 75a38f12078c055da401d1afc42f780424b22e11fe9a0d66e53b884974dac955
Instruction ID: f8ee58a520a7c5bb2b90c5d473876677309a2cb4b7756861de9105c26de28572
Opcode Fuzzy Hash: 75a38f12078c055da401d1afc42f780424b22e11fe9a0d66e53b884974dac955
Instruction Fuzzy Hash: 8B316671D0021CAFDB04EBABC981AAFB7F8AF44318F11457BA915B32D1D7389E118659

Uniqueness

Uniqueness Score: -1.00%

Function 004635BC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004635D7
ScrollWindow.USER32 ref: 00463606
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0046367C

Strings

0bE, xrefs: 00463629

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$ScrollVisible
String ID: 0bE
API String ID: 4127837035-2320990392
Opcode ID: dcf5398833a8aece63736bda120e7d310d868eb37a6717cdf2cc9f7d95771b72
Instruction ID: 7f3095df5fa9b67da4477243de4799cf530741cb3c8919d41d67974e35bf4d89
Opcode Fuzzy Hash: dcf5398833a8aece63736bda120e7d310d868eb37a6717cdf2cc9f7d95771b72
Instruction Fuzzy Hash: BF218D71605340BBC720DF5DC880B6BB7E4AF88715F14856EBA58CB352E739DC05876A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8E4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040F9D5), ref: 0040F96C
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040F9D5), ref: 0040F972

Strings

, xrefs: 0040F938
yyyy, xrefs: 0040F947

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 8eead4c1bdf257ec252ccddd628ff93b13d50f26aeabb31510a35da1225a0e5e
Instruction ID: 78f507776f5a3daf7eb55458d84c5018fb7d65ccf00ba4d583def5fe90135d0c
Opcode Fuzzy Hash: 8eead4c1bdf257ec252ccddd628ff93b13d50f26aeabb31510a35da1225a0e5e
Instruction Fuzzy Hash: A3217171A04118AFCB20EF55C881AAEB3B8EF08714F5140BBF805F7791D638AE4487A9

Uniqueness

Uniqueness Score: -1.00%

Function 004FC462, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004FC4A2

Strings

tIP, xrefs: 004FC4F4
@, xrefs: 004FC468
/INITPROCWND=$%x , xrefs: 004FC4D2

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@$tIP
API String ID: 2353593579-1466394587
Opcode ID: 5a3090d5d6df7c067db1b6483952aec51dd1abef0c0a75641e7276f90bec72bf
Instruction ID: 097a1a9749d9a58b5b88eb059f00cb423dfd1d3c345555dca05a7dcadf53a222
Opcode Fuzzy Hash: 5a3090d5d6df7c067db1b6483952aec51dd1abef0c0a75641e7276f90bec72bf
Instruction Fuzzy Hash: 2921D131A0434C9FDB01EBA4D991ABEB7F8EB49304F50447AF604E3291C638A904CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004A64B4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A6484: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004A649C

LoadLibraryW.KERNEL32(00000000,00000000,004A6572,?,?,00000000,00000000), ref: 004A64FC

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

CreateStdAccessibleObject, xrefs: 004A6517
LresultFromObject, xrefs: 004A6507
oleacc.dll, xrefs: 004A64E9

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2141747552-1050967733
Opcode ID: c2209bcdfbd28adc721e1377fe9786733053de7d799d58099f27643035934eb9
Instruction ID: b10891c7401b59bbad6ff30169d3e81ae1e5defeabf81acf8e986cfc71eaab60
Opcode Fuzzy Hash: c2209bcdfbd28adc721e1377fe9786733053de7d799d58099f27643035934eb9
Instruction Fuzzy Hash: 39110274900745BFEB10EF62EC86B5E77A8E722318F52467BA410666E2C77C5A08DA0C

Uniqueness

Uniqueness Score: -1.00%

Function 004D91C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0047BF28: SetWindowTextW.USER32(?,00000000), ref: 0047BF58

GetFocus.USER32 ref: 004D922E
GetKeyState.USER32(0000007A), ref: 004D9245
WaitMessage.USER32(?,00000000,004D926C,?,00000000,004D9293), ref: 004D924F

Strings

Wnd=$%x, xrefs: 004D9210

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 841a240f890e4b889c6b371fc3f9715ac62fa11c017711956407097141b1dfc6
Instruction ID: c673cddbc745adca3344508b04c918c66e68abf2b34721ac2f7c0cfbe52f55e9
Opcode Fuzzy Hash: 841a240f890e4b889c6b371fc3f9715ac62fa11c017711956407097141b1dfc6
Instruction Fuzzy Hash: 5E118F35604204AFCB01FBA5D862A9DB7F8EB4A704B5149BBF404E7751DB78AE008A59

Uniqueness

Uniqueness Score: -1.00%

Function 004B197C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047E6BC: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,00000000,00000000,004AE62F,00000000,004AE916,?,?,00000000,0050B17C), ref: 0047E6ED

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004B19BF
RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 004B19DB

Strings

RegisterTypeLib, xrefs: 004B19E6
LoadTypeLib, xrefs: 004B19CA

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Type$FullLoadNamePathRegister
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 4170313675-2435364021
Opcode ID: 031e64816dfcab40bc0802984921327133d3323c6490910334c1faf764851a86
Instruction ID: 8ece1fae63f3440495b095563476e4a16d9ec6d2216c806ca2a8dab9ea02ad2b
Opcode Fuzzy Hash: 031e64816dfcab40bc0802984921327133d3323c6490910334c1faf764851a86
Instruction Fuzzy Hash: 1B016570A40208ABD700FB66DC52BDE73ACDB48704FA04477B401E6292DB78AE108668

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA2C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7,?,?,?,00000000), ref: 0040AA40
LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7,?,?,?,00000000), ref: 0040AA57
LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7,?,?,?), ref: 0040AA68

Part of subcall function 004135BC: GetLastError.KERNEL32(0040AA79,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040A9F4,00000000,00451ABD,00000000,00451BD7), ref: 004135BC

Strings

CHARTABLE, xrefs: 0040AA35

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Resource$ErrorFindLastLoadLock
String ID: CHARTABLE
API String ID: 1074440638-2668339182
Opcode ID: 729fa5fbdd04fa08da4aee17b6a5a91d4596a7b24911617425901f88be5c8865
Instruction ID: 223024386014cbcd6611828f1d05543f9286b01788ebd28747f60c109f243f88
Opcode Fuzzy Hash: 729fa5fbdd04fa08da4aee17b6a5a91d4596a7b24911617425901f88be5c8865
Instruction Fuzzy Hash: E70161B4700700CFC708EFA5D9A0E6A77A6AB58314709447EE58157392CB3C8809DF5C

Uniqueness

Uniqueness Score: -1.00%

Function 004378DC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(4B080B07), ref: 00437954
DeleteCriticalSection.KERNEL32(0050AF08,4B080B07,00000000,004379A5), ref: 0043795E
DeleteCriticalSection.KERNEL32(0050AF20,0050AF08,4B080B07,00000000,004379A5), ref: 00437968

Strings

81P, xrefs: 00437982

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Delete$CriticalSection$Object
String ID: 81P
API String ID: 378701848-2014264188
Opcode ID: 3bf8f0eb6866bbc05f0d4b5f2509e2c1389ed698d45d6864e9597cac4bbbf29a
Instruction ID: 8682f1a559276fd41b1422f534340816c999609e1fe4dbb901014130beba96f8
Opcode Fuzzy Hash: 3bf8f0eb6866bbc05f0d4b5f2509e2c1389ed698d45d6864e9597cac4bbbf29a
Instruction Fuzzy Hash: 110112B52142015BD310FB75EC4291D37A8EB96308791443EB300B77F2C9796C09D75A

Uniqueness

Uniqueness Score: -1.00%

Function 004FA928, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 004FA938

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,00000000), ref: 00409666

Strings

GetMonitorInfoA, xrefs: 004FA94C
MonitorFromRect, xrefs: 004FA93F
user32.dll, xrefs: 004FA933

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 3bc640d196b92b993ca51069712ad3c59e5716b92b8c95b711c17991e39d64de
Instruction ID: 1bcf42a2e93eb479ad3fde3c2373cb2722947a05ee37f937310b8758800ce650
Opcode Fuzzy Hash: 3bc640d196b92b993ca51069712ad3c59e5716b92b8c95b711c17991e39d64de
Instruction Fuzzy Hash: FDF02BD1A01B192AC21179664C41E3B678CCF45350F560D37BE0CAA383E9DE8C1186EB

Uniqueness

Uniqueness Score: -1.00%

Function 004B4814, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,004B4800,00000003,00000000,004B49B7,00000000,004B4B71,?,004B4800,?,00000000,00000000), ref: 004B4861

Strings

SOFTWARE\Microsoft\.NETFramework, xrefs: 004B4834
.NET Framework not found, xrefs: 004B4870
InstallRoot, xrefs: 004B4850

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: a6c8733703318c416466281b4579e3ff347e98818994608c8f9231b1f98624ed
Instruction ID: 292b85a7d87c047c032ced858ea9190a62875626ebd5834b0ca7d4f2479a2961
Opcode Fuzzy Hash: a6c8733703318c416466281b4579e3ff347e98818994608c8f9231b1f98624ed
Instruction Fuzzy Hash: FCF0AF357001556BEB10BB5A9881B9B6688EBE5315F11803FF585C72A2CB38CC05C769

Uniqueness

Uniqueness Score: -1.00%

Function 0047FD48, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000000), ref: 0047FD54
GetModuleHandleW.KERNEL32(advapi32.dll,RegDeleteKeyExW,?,00000000,0047FF3B,00000000,0047FF53,?,?,?), ref: 0047FD6F

Strings

advapi32.dll, xrefs: 0047FD6A
RegDeleteKeyExW, xrefs: 0047FD65

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DeleteHandleModule
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 3550747403-4033151799
Opcode ID: a6a1998f94020afa24a90d1cb7fb1923ecc2cd570b394969cc260e6e368cf805
Instruction ID: aa0877668d079f8a6811237ab7fed581843c075a164a8a8cd73df927e2332a0d
Opcode Fuzzy Hash: a6a1998f94020afa24a90d1cb7fb1923ecc2cd570b394969cc260e6e368cf805
Instruction Fuzzy Hash: E7E06DB06053206EF23467A4AC9ABD7261C8B55315F145437B10AA92E282FC2C4CD6AC

Uniqueness

Uniqueness Score: -1.00%

Function 00480944, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,00480A2C,00000004,00503F6C,004B1F3E,004B2358,004B1E94,00000000,00000B06,00000000,00000000), ref: 0048095A

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

InterlockedExchange.KERNEL32(0050B1A8,00000001), ref: 00480971

Strings

user32.dll, xrefs: 00480955
ChangeWindowMessageFilter, xrefs: 00480950

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 93a8cfa1d00e9ca7a67552f5e2d303d09cd34d9d55648590828eae5e55d5573e
Instruction ID: 82ed8d6df81a7eb36759ba3e4d99f90523ab43b6522357cf758c02494deac435
Opcode Fuzzy Hash: 93a8cfa1d00e9ca7a67552f5e2d303d09cd34d9d55648590828eae5e55d5573e
Instruction Fuzzy Hash: 3FE0ECF0660300BEFA603B726CDAB5F66549764705F104826F000612D3C7BD1888EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0046A734, Relevance: 6.2, APIs: 4, Instructions: 248sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,0046AB2A), ref: 0046A7A8
ShowWindow.USER32(00000000,00000004,?,00000000,0046AB2A), ref: 0046A7F0

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ShowSleepWindow
String ID:
API String ID: 4218995503-0
Opcode ID: 4bc7de6c184d23c75a833a253b4eb2f49253f79cf75a3eee61752992aff4170e
Instruction ID: 57b4a933d40b7c800f2b62f91e8823aae61054c9ffa662a57e78534e9b81f7e9
Opcode Fuzzy Hash: 4bc7de6c184d23c75a833a253b4eb2f49253f79cf75a3eee61752992aff4170e
Instruction Fuzzy Hash: 1A918C70A00644AFDB00DFA9D841FAEB7F5FB09704F1104A6F500A73A2E679AE54DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00458B5C, Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00458BD1
GetDesktopWindow.USER32 ref: 00458D01
SetCursor.USER32(00000000), ref: 00458D56

Part of subcall function 00465C20: ImageList_EndDrag.COMCTL32(?,-0000000C,00458D31), ref: 00465C3C

SetCursor.USER32(00000000), ref: 00458D41

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CursorDesktopWindow$DragImageList_
String ID:
API String ID: 617806055-0
Opcode ID: 368c8bb4b059ed571f3ed7628eb8f26ac6c421cf563e29be506734e6c68b6f20
Instruction ID: 5b8a5ffc2676b61429797a4f75449b093ae134768df342a894d9c4663559b162
Opcode Fuzzy Hash: 368c8bb4b059ed571f3ed7628eb8f26ac6c421cf563e29be506734e6c68b6f20
Instruction Fuzzy Hash: C0915B742102088FE700DF29D8D9B5A77E1BBA9305F04859AE8449B376CB78EC4DDF95

Uniqueness

Uniqueness Score: -1.00%

Function 0041672C, Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004167DB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004167F7
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041686E
VariantClear.OLEAUT32(?), ref: 00416897

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 1880c046d0361cb4feb656d5e353c2bc5989ace5eac04d1957f99b27752a45fe
Instruction ID: 3729195a26d3938dfdf18e59bcae220f4c3d5881819744d32fab3221a2c6a924
Opcode Fuzzy Hash: 1880c046d0361cb4feb656d5e353c2bc5989ace5eac04d1957f99b27752a45fe
Instruction Fuzzy Hash: 60410A75A016199BCB61EF59C890BC9B7BDAB48314F0141DAE548A7216DA38EFC08F58

Uniqueness

Uniqueness Score: -1.00%

Function 004115CC, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00411778), ref: 004115FF
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00411623
GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 0041163E
LoadStringW.USER32(00000000,0000FFE8,?,00000100), ref: 004116D9

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 3be31e3b2ea52e5ef1e186d18b649fd06ede5b0a46d106637fc5f32ac6dfc7dd
Instruction ID: 2fb94661ed3bd45f4c6cdb0b4f25d0cceb8d8fbdc1eb40c7d816f3195b4a6094
Opcode Fuzzy Hash: 3be31e3b2ea52e5ef1e186d18b649fd06ede5b0a46d106637fc5f32ac6dfc7dd
Instruction Fuzzy Hash: 2A413170A002589FDB20EF59CD81BCAB7F9AB58314F0040FAE608E7391D7799E948F59

Uniqueness

Uniqueness Score: -1.00%

Function 00434158, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431F94
Part of subcall function 00431F8C: LeaveCriticalSection.KERNEL32(0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FA1
Part of subcall function 00431F8C: EnterCriticalSection.KERNEL32(?,0050AF20,0050AF20,00000000,004340D5,00000000,?,?,00435A5E,004364EC,00000000,?,?), ref: 00431FAA

Part of subcall function 00435C44: GetDC.USER32(00000000), ref: 00435C9A
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00435CAF
Part of subcall function 00435C44: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00435CB9
Part of subcall function 00435C44: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004341AB,00000000,00434237), ref: 00435CDD
Part of subcall function 00435C44: ReleaseDC.USER32 ref: 00435CE8

CreateCompatibleDC.GDI32(00000000), ref: 004341AD
SelectObject.GDI32(00000000,?), ref: 004341C6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004341EF
RealizePalette.GDI32(00000000), ref: 004341FB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: fff205d747e362ac45f31b29a96dbe3da15874876ea942b91e2107e9cca26013
Instruction ID: d87175d742e0276230b70ddd67f8b8822d88cc7ec207c53e0907679b65e79936
Opcode Fuzzy Hash: fff205d747e362ac45f31b29a96dbe3da15874876ea942b91e2107e9cca26013
Instruction Fuzzy Hash: D6310774A00658EFCB04EB59C981D9EB3F5EF4C324B6251A6F804AB366C738EE41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004FAF4C, Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(00000000,?,00000000), ref: 004FAFB0
OffsetRect.USER32(00000000,00000000,?), ref: 004FAFCB
OffsetRect.USER32(00000000,?,00000000), ref: 004FAFE5
OffsetRect.USER32(00000000,00000000,?), ref: 004FB000

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: cb210d1bcc2253a2864a3c19c642cccce1b14fcde6a59f5816a3f89f47b6fa68
Instruction ID: 3950c7e52b127766a66e38bdb4d7a031cdb43fbd1104537f8e92d08780ab70a9
Opcode Fuzzy Hash: cb210d1bcc2253a2864a3c19c642cccce1b14fcde6a59f5816a3f89f47b6fa68
Instruction Fuzzy Hash: 0C2183B67042066FC700DE69CC85E6B77DAEBC4344F54C92AF644C7256E734EC0587A6

Uniqueness

Uniqueness Score: -1.00%

Function 0045EEC0, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

IsZoomed.USER32(00000000), ref: 0045EED5
GetParent.USER32(00000000), ref: 0045EEEA
GetWindowRect.USER32 ref: 0045EF03
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000016,00000000,?,00000000), ref: 0045EF6E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$ParentRectZoomed
String ID:
API String ID: 3993858495-0
Opcode ID: fce9b03dda0c57b4364e0c7f05c3fd9ad5df3e529952553dbded3a850fd6afc4
Instruction ID: 41642b7a77ac7db3b31fab53975f0018cf67021daefd6c497e2176d5a0a4b7bb
Opcode Fuzzy Hash: fce9b03dda0c57b4364e0c7f05c3fd9ad5df3e529952553dbded3a850fd6afc4
Instruction Fuzzy Hash: 2421D935600104AFDB14EF6DC481E9EB3F5AF18305B20455AFA84E7392EB36EE54CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0047B090, Relevance: 6.1, APIs: 4, Instructions: 75threadwindowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000004), ref: 0047B0A0
GetWindowThreadProcessId.USER32(?,?), ref: 0047B0BD
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0047B0C9
IsWindowVisible.USER32(?), ref: 0047B11F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Window$Process$CurrentThreadVisible
String ID:
API String ID: 3926708836-0
Opcode ID: 244113c8ad9d5ac25f580ebf26d470919350f8359faf86d05392c37ce22d0f28
Instruction ID: d67c3866086eed8f2567cea6c2f7e2bd062bd02c680e354b8e5b6e5be24fa7c2
Opcode Fuzzy Hash: 244113c8ad9d5ac25f580ebf26d470919350f8359faf86d05392c37ce22d0f28
Instruction Fuzzy Hash: 07212C35600240DBE701EB69D9D1FEA73B8EB18314F948177E91897362D738AD058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0047BC08, Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,0047B691,00000000,0047BBCE), ref: 0047BC35

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: 864d13bdc78cf114819407cc29dce0200f4ef20c1d690efc8b00b2e29b2674c7
Instruction ID: 0db94734e8515cba134c003bd96e3eed1ff833ea1cfa5b242111a42ae5d7b3d9
Opcode Fuzzy Hash: 864d13bdc78cf114819407cc29dce0200f4ef20c1d690efc8b00b2e29b2674c7
Instruction Fuzzy Hash: F721DB70604240DFEB25EE69C8C5BD62794BF04308F4884BAFD4C9F29BDB69D8458769

Uniqueness

Uniqueness Score: -1.00%

Function 00453328, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32 ref: 0045334B
GetSubMenu.USER32 ref: 00453356
GetMenuItemID.USER32(?,?), ref: 0045336F
GetMenuStringW.USER32 ref: 004533C4

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: e0b2aff8d3505fd393e0f2f4e7ded4eca910dea1ab6ba8c59c152b7a326c5404
Instruction ID: e2a2a4d282d0096dd30e61f6a4ca1df5a3037ec28ed59cd430e3acd2e0ba8e80
Opcode Fuzzy Hash: e0b2aff8d3505fd393e0f2f4e7ded4eca910dea1ab6ba8c59c152b7a326c5404
Instruction Fuzzy Hash: 45115131611118AFC700EE6ECC459AF77E8AF49396B10456BFC09D7393DA38DE0597A8

Uniqueness

Uniqueness Score: -1.00%

Function 00480C94, Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,00480D3B,?,?,?,?,00000000), ref: 00480CCA
DeleteFileW.KERNEL32(00000000,00000000,00480D3B,?,?,?,?,00000000), ref: 00480CF1
GetLastError.KERNEL32(00000000,00000000,00480D3B,?,?,?,?,00000000), ref: 00480D00
MoveFileW.KERNEL32(00000000,00000000), ref: 00480D1A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: File$Move$DeleteErrorLast
String ID:
API String ID: 3032323431-0
Opcode ID: 3544a80a1afb362c6ba675a943a1b19a78f915b6c292b445f862dfc6c9b9cef2
Instruction ID: 7f3b113f1acf62cc89dab94fccb5dc75004b554c2e88a941b9d914c948e82687
Opcode Fuzzy Hash: 3544a80a1afb362c6ba675a943a1b19a78f915b6c292b445f862dfc6c9b9cef2
Instruction Fuzzy Hash: 6901C471710354AADB21BFBA8C8296E72DCDB4170CB62497BF001E3692DA3DAD19821D

Uniqueness

Uniqueness Score: -1.00%

Function 004FABE0, Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(F8031024,00000008,?), ref: 004FABF5
MulDiv.KERNEL32(E8C38B57,00000008,?), ref: 004FAC09
MulDiv.KERNEL32(FFF77F9E,00000008,?), ref: 004FAC1D
MulDiv.KERNEL32(E8C38B50,00000008,?), ref: 004FAC3B

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aeca573a1f523cd84a5b6c5d94893b92d42509870cb5d486b4303d0bd25cd7f
Instruction ID: 99f03527093ba141d6bc40404b96c78c056c1ce667647233cc714bd5f382aa4c
Opcode Fuzzy Hash: 5aeca573a1f523cd84a5b6c5d94893b92d42509870cb5d486b4303d0bd25cd7f
Instruction Fuzzy Hash: EF115E72604248AFCB44DE9DC884E9A7BECEF49364F1041A6BA08DB256D635DD00CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004371D0, Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 004371F1
GetObjectW.GDI32(?,00000018,?,00000000,0043724D,?,?,?), ref: 00437212
DeleteObject.GDI32(?), ref: 0043723E
DeleteObject.GDI32(?), ref: 00437247

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: eafc0576186234d666b26eab3bf862f164babea7372ad63040be5848730273f8
Instruction ID: 237573efb7d07f23659b9a36111f59eba5243dce53b0c9d3b6df79918595ad87
Opcode Fuzzy Hash: eafc0576186234d666b26eab3bf862f164babea7372ad63040be5848730273f8
Instruction Fuzzy Hash: 201142B5A04204AFDB14DFA6D981D9EF7F9EB8C310F1080AAF944E7351D634DD04CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0045AB18, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 0045AB2D
MulDiv.KERNEL32(?), ref: 0045AB4A
MulDiv.KERNEL32(?), ref: 0045AB67
MulDiv.KERNEL32(?), ref: 0045AB84

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d09a4a738704cd79c13d422565b661aeebc8cb04668fc7712c103bd51324070
Instruction ID: 2d14abfe5467a2a3f9f9f11384c12630c08dbb79469c23f87f0f05b8c0661458
Opcode Fuzzy Hash: 0d09a4a738704cd79c13d422565b661aeebc8cb04668fc7712c103bd51324070
Instruction Fuzzy Hash: 7D01562130024CABCB64BD275C44F9B7A5EDF82755B00413E7E2A9B353E96CEC1483A8

Uniqueness

Uniqueness Score: -1.00%

Function 0045AB9C, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 0045ABB1
MulDiv.KERNEL32(?), ref: 0045ABCB
MulDiv.KERNEL32(?), ref: 0045ABE8
MulDiv.KERNEL32(?), ref: 0045AC05

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f21a4a6913cabdd891ad792af731c2aaea4be6a0c140d5fafcc18630e585cd
Instruction ID: d2d2d10dfd6d333d919af8afa6fafe424737bf13a2787c07879e9aebbf0cf12a
Opcode Fuzzy Hash: 06f21a4a6913cabdd891ad792af731c2aaea4be6a0c140d5fafcc18630e585cd
Instruction Fuzzy Hash: B1018B213002086BCB28BD275C85F5B7A9EDFC2754B00413E7D1A9B353E9BCED1483A8

Uniqueness

Uniqueness Score: -1.00%

Function 00463480, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 00463498
MulDiv.KERNEL32(?), ref: 004634B2
MulDiv.KERNEL32(?), ref: 004634CF
MulDiv.KERNEL32(?), ref: 004634EC

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e0456dfea3bad6c77b598901b22a6061f589eb9f1a3e53e110156495351957
Instruction ID: 405954b8e44ee07b894c05496ad210b7abba4dbc0493be042e276050902fd990
Opcode Fuzzy Hash: c0e0456dfea3bad6c77b598901b22a6061f589eb9f1a3e53e110156495351957
Instruction Fuzzy Hash: FE012C213002486BC724BE275C45F5BBA5EDFC2755B00807E781A9B357EDB89E0486A5

Uniqueness

Uniqueness Score: -1.00%

Function 00426A4C, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00400000,?,?,0042178C,00400000,00000001,00000000,?,0042698E,00000000,00000000,?,00000000,?,?,004DE870), ref: 00426A63
LoadResource.KERNEL32(00400000,00426AE8,00400000,?,?,0042178C,00400000,00000001,00000000,?,0042698E,00000000,00000000,?,00000000,?), ref: 00426A7D
SizeofResource.KERNEL32(00400000,00426AE8,00400000,00426AE8,00400000,?,?,0042178C,00400000,00000001,00000000,?,0042698E,00000000,00000000), ref: 00426A97
LockResource.KERNEL32(0042652C,00000000,00400000,00426AE8,00400000,00426AE8,00400000,?,?,0042178C,00400000,00000001,00000000,?,0042698E,00000000), ref: 00426AA1

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: fbb838dfb8a984f98673c35adeec76654e77647bee0350a6b9b467abf03efca3
Instruction ID: 432f08dde49b013c1c90c5113a1f6abd0d78333a01f7ecda222a99177f0c13f5
Opcode Fuzzy Hash: fbb838dfb8a984f98673c35adeec76654e77647bee0350a6b9b467abf03efca3
Instruction Fuzzy Hash: 58F0ADB3204210AF8B45EE6DA881D2B73ECEE88364311402FF818DB207DA39DD01837C

Uniqueness

Uniqueness Score: -1.00%

Function 004B0A08, Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047FD20: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,004803F6,?,00000000,?,00480396,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004803F6), ref: 0047FD3C

RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,004B73CF), ref: 004B0A44
RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,004B73CF), ref: 004B0A4D
RemoveFontResourceW.GDI32(00000000), ref: 004B0A5A
SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004B0A6E

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 56227a60cafbd9e35b2e5c673dd9c348bcb7980fddfd6c644259f60532f54d59
Instruction ID: 68f3d6a6108326f095a0386f20cc17951fd509f527c3e1173e60b2f3b34f874f
Opcode Fuzzy Hash: 56227a60cafbd9e35b2e5c673dd9c348bcb7980fddfd6c644259f60532f54d59
Instruction Fuzzy Hash: C2F030B174031126E610B6B65C46F9B62CC5B48748F11883AB645EB2C3D97CDC04476D

Uniqueness

Uniqueness Score: -1.00%

Function 004589A4, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004589B1
GetCurrentProcessId.KERNEL32(00000000,?,?,00000000,00000000,00458A1C,-000000F4,?,?,004585DE,?,-0000000C,?), ref: 004589BA
GlobalFindAtomW.KERNEL32(00000000), ref: 004589CF
GetPropW.USER32 ref: 004589E6

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 02dd8a062a381729000d46ead6dfb8f7d2f5d6fbe194fcf8eb24a44b854f72ac
Instruction ID: c5b696a72588346249ad42f44ef6febf25fa79375e452dd96b9cf53597f99a7f
Opcode Fuzzy Hash: 02dd8a062a381729000d46ead6dfb8f7d2f5d6fbe194fcf8eb24a44b854f72ac
Instruction Fuzzy Hash: 44F0A792212122A6E6227B7B5C8597F328CAD00315300423FFC80E6197DF2DCC8991BF

Uniqueness

Uniqueness Score: -1.00%

Function 004FE5D0, Relevance: 6.0, APIs: 4, Instructions: 35filesynchronizationCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,004FE639,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668), ref: 004FE5D9
DeleteFileW.KERNEL32(00000000,00000000,00000000,004FE639,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668), ref: 004FE5E7
ReleaseMutex.KERNEL32(00000000,004FE640,004FE639,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668), ref: 004FE62A
CloseHandle.KERNEL32(00000000,00000000,004FE640,004FE639,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,004FE668), ref: 004FE633

Strings

.msg, xrefs: 004FE39A
.lst, xrefs: 004FE3B4
Inno-Setup-RegSvr-Mutex, xrefs: 004FE325
/REGU, xrefs: 004FE2EE
/REG, xrefs: 004FE2CA
Setup, xrefs: 004FE306

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: DeleteFile$CloseHandleMutexRelease
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 3118534315-3672972446
Opcode ID: 2c9e6d88e7ca0685aff2bf63fe048368c1d78a2a0d3c34b01aeb96910a64377f
Instruction ID: a01dffca68a05d34cbb6413aea90befd7ed39e7fb173efff64097f4da04a2672
Opcode Fuzzy Hash: 2c9e6d88e7ca0685aff2bf63fe048368c1d78a2a0d3c34b01aeb96910a64377f
Instruction Fuzzy Hash: 56F0BB315082089EEB01EBB6D81296E77A8DB45304BA2083BF500E25A2C63D4C11C65C

Uniqueness

Uniqueness Score: -1.00%

Function 0047A5A0, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047A5B8
SetWindowsHookExW.USER32(00000003,0047A55C,00000000,00000000), ref: 0047A5C8
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,0047DB9B), ref: 0047A5E3
CreateThread.KERNEL32 ref: 0047A608

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: fce3583073313e64405e8b32e39b1966a418c3b0a299ade769e8da19304fed34
Instruction ID: 5af294596652428082a2d10271691ea12361138bf71b4d4e0de4d4f74ec09c2b
Opcode Fuzzy Hash: fce3583073313e64405e8b32e39b1966a418c3b0a299ade769e8da19304fed34
Instruction Fuzzy Hash: 25F03071684344BEF7109B61ECABF6E3798A365705F54402AF30C6A2D1C3B81C99E71A

Uniqueness

Uniqueness Score: -1.00%

Function 00457870, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0045787D
GetCurrentProcessId.KERNEL32(?,00000000,00000000,0047DF65,?,00000000,?,00000001,0047C338,?,00000000,00000200,0000020A,00000001), ref: 00457886
GlobalFindAtomW.KERNEL32(00000000), ref: 0045789B
GetPropW.USER32 ref: 004578B2

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: d6942f44e9d259098e9c5c05ea23247048c5fbe4d63194b29dcdf671a96cf5df
Instruction ID: 5e01bdbad4ef4b9cbd17ae56e9baf8964506d0fbf22e9b6c0c32739e0915d928
Opcode Fuzzy Hash: d6942f44e9d259098e9c5c05ea23247048c5fbe4d63194b29dcdf671a96cf5df
Instruction Fuzzy Hash: A8F03752B0411166DA10B7B7ACCA86B2A8C89543553054577FD56E7383D53C8C4DD2BD

Uniqueness

Uniqueness Score: -1.00%

Function 004D8C08, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008), ref: 004D8C11
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 004D8C17
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 004D8C39
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 004D8C4A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: ce45d488497232d6495bdc8f9f740d195bf4cfa8be9f4b37a496b3fc2c77e68e
Instruction ID: 51fa21f25c06e328c69f26ed10c7d9100417013b7cd6ce2efd1497f92d756bd2
Opcode Fuzzy Hash: ce45d488497232d6495bdc8f9f740d195bf4cfa8be9f4b37a496b3fc2c77e68e
Instruction Fuzzy Hash: 6CF012716153007BD70096B58C81E5773DC9B44754F04483E7E54D72C1EA39DD489666

Uniqueness

Uniqueness Score: -1.00%

Function 0043736C, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00437375
SelectObject.GDI32(00000000,058A00B4), ref: 00437387
GetTextMetricsW.GDI32(00000000,?,00000000), ref: 00437392
ReleaseDC.USER32 ref: 004373A3

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 2907fb977446ebac350a592686c43b06d3a805bdf8fdaa2d33c3e9d59b490aac
Instruction ID: 58c6ea5530ae4f5a6a63de3346d4281161ca75ef2694c6dcad3afc0a28ef6ed2
Opcode Fuzzy Hash: 2907fb977446ebac350a592686c43b06d3a805bdf8fdaa2d33c3e9d59b490aac
Instruction Fuzzy Hash: 3DE048517066B126D76161664C83BDF25484F06275F08112AFD84E92D3EA1DCD01E2FA

Uniqueness

Uniqueness Score: -1.00%

Function 00470E14, Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00470E1A
EnumWindows.USER32(00470DDC), ref: 00470E33
GetCurrentThreadId.KERNEL32 ref: 00470E42
EnumThreadWindows.USER32(00000000,00470DBC), ref: 00470E48

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: EnumThreadWindows$ActiveCurrentWindow
String ID:
API String ID: 1202916826-0
Opcode ID: 8663e4fa51a25b22250b6f616eba7e7924732261bf014aeab7ed04c21ec16752
Instruction ID: 7712d82115595b5bbe0424392478e81f51976f73aa844afc3d5bfb08cee64333
Opcode Fuzzy Hash: 8663e4fa51a25b22250b6f616eba7e7924732261bf014aeab7ed04c21ec16752
Instruction Fuzzy Hash: 60E0865168D340BAF60062B60C027AA7AC8CA82324F14892FFCE8A72C3D53D4C05627F

Uniqueness

Uniqueness Score: -1.00%

Function 0048410C, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0048440A

Strings

48H, xrefs: 00484160
H, xrefs: 004841C1

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: FreeString
String ID: 48H$H
API String ID: 3341692771-1350225257
Opcode ID: f17ddb08a67e2093ac53acbd4110b127a93957364943283f0e980f94c14fe594
Instruction ID: 6209862446b9a05c525dd6954695b70c720c436fc9378fb4ce7688ec02123eb0
Opcode Fuzzy Hash: f17ddb08a67e2093ac53acbd4110b127a93957364943283f0e980f94c14fe594
Instruction Fuzzy Hash: 34B1F374A01609EFDB10DF99D880A9EBBF1FF89314F24856AE805AB361D738AC45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00441B4C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 00441D9E
OffsetRect.USER32(?,000000FF,000000FF), ref: 00441DDF

Strings

..., xrefs: 00441C99, 00441D5D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: OffsetRect
String ID: ...
API String ID: 177026234-440645147
Opcode ID: 9b6f1a6c90d19fdab908977e88c1fcfa124f7f2e3165ad2188b6df2f50122979
Instruction ID: b86cd83c616bc19477878014547529188140967f7864a80cd3d85a49f49713b9
Opcode Fuzzy Hash: 9b6f1a6c90d19fdab908977e88c1fcfa124f7f2e3165ad2188b6df2f50122979
Instruction Fuzzy Hash: E4915D74A001049BEB11DFA9C985BDA77F5AF49304F2440B6E805EB3A6D778EE81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004591EC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

Part of subcall function 00458068: ReleaseCapture.USER32(00000000,00459263,00000000,0045948F,?,00000000,00459501), ref: 0045806B

SetCursor.USER32(00000000,00000000,0045948F,?,00000000,00459501), ref: 0045937B

Part of subcall function 00465C20: ImageList_EndDrag.COMCTL32(?,-0000000C,00458D31), ref: 00465C3C

Strings

(GE, xrefs: 00459271
4YE, xrefs: 004592A2

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CaptureCursorDragImageList_Release
String ID: (GE$4YE
API String ID: 1302740870-2190304079
Opcode ID: 38245a45ae294dbc209d9c552870ed82879ebef03da6f3b99cac7c6347123cd0
Instruction ID: 677554ce33e139bb7db45c3ece7d7f38f200c479743da055978665404f5ebb31
Opcode Fuzzy Hash: 38245a45ae294dbc209d9c552870ed82879ebef03da6f3b99cac7c6347123cd0
Instruction Fuzzy Hash: BE81A170604244DFEB05CF65D894B6E7BE1FBAD305F1481AAE840873A2C7789C4DDB95

Uniqueness

Uniqueness Score: -1.00%

Function 00458FB4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

0bE, xrefs: 00459082, 004590B8

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID:
String ID: 0bE
API String ID: 0-2320990392
Opcode ID: e13f7d6370c10b124c3a81da77be748c2a4f6f97622c2c1ad18eef8128e78c0f
Instruction ID: ab28fe0629281bc3a8d619394c7c62e31fb3bd75857d63831c3b6f351b1356e2
Opcode Fuzzy Hash: e13f7d6370c10b124c3a81da77be748c2a4f6f97622c2c1ad18eef8128e78c0f
Instruction Fuzzy Hash: E551C930A00605DFDB00DF59C881A9EBBF5FF98315F1184AAEC04A7392D779AD89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411074, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,00411187,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00411090

Strings

<*P, xrefs: 0041111D
X*P, xrefs: 00411142

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: LocaleThread
String ID: <*P$X*P
API String ID: 635194068-628368254
Opcode ID: 52dc1b13e0e2b0ffdd653057525880b3fe53e6f7c7912d1678e4b8d21896f8ab
Instruction ID: 5836da1b360b6cbb10a15eeaf75eb8dd80c660c823a45f6c764e19074c377661
Opcode Fuzzy Hash: 52dc1b13e0e2b0ffdd653057525880b3fe53e6f7c7912d1678e4b8d21896f8ab
Instruction Fuzzy Hash: 5731C871F005086FD704DB45C882EAE7BADE788314F65447BFA09DB381D939ED818369

Uniqueness

Uniqueness Score: -1.00%

Function 00468B5C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

0bE, xrefs: 00468C3A
@, xrefs: 00468B71

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: PointsWindow
String ID: 0bE$@
API String ID: 4123100037-122265358
Opcode ID: 8395b34624a7b65c480beec848bd49da82369e2aa995b346deec5b7bbbe1a8e2
Instruction ID: da6395379e4789248bb68ae9639d3fa7cdc2a154edf4300eda36607f7254129a
Opcode Fuzzy Hash: 8395b34624a7b65c480beec848bd49da82369e2aa995b346deec5b7bbbe1a8e2
Instruction Fuzzy Hash: B5319431A012049BCB20DF68C881ADEB3A4AF05714F00866FFC5567392EF39ED49C75A

Uniqueness

Uniqueness Score: -1.00%

Function 004AA2DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004AA36F
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004AA3A0

Strings

open, xrefs: 004AA393

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: 6226b72d3a908e6b84aff4b5a83d13064dfccb5c0d45ef645fc4726cb8e648b8
Instruction ID: e303f42d2cf0764dadaa1299d1c4007adbfe1eed8e9935e8a168fd1f04f58973
Opcode Fuzzy Hash: 6226b72d3a908e6b84aff4b5a83d13064dfccb5c0d45ef645fc4726cb8e648b8
Instruction Fuzzy Hash: EF214F70A00204AFDF04DFA9C882B9EB7B8EB55704F51847AA805E7292D779AE50CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004FBB64, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 004FBBD1
CloseHandle.KERNEL32(004FBC7C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004FBC38,?,004FBC28,00000000), ref: 004FBBEE

Part of subcall function 004FBABC: GetLastError.KERNEL32(00000000,004FBB57,?,?,?), ref: 004FBADF

Strings

D, xrefs: 004FBBAB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 3f02340621f5fa5a5faa6e0f7561d463d8109bf79084aca5f85af76e7cab0b0f
Instruction ID: ff54de1ae36874aeeb1eee2a17cd989ffd6efd5a7e1b6b00c6eb3949c88bb285
Opcode Fuzzy Hash: 3f02340621f5fa5a5faa6e0f7561d463d8109bf79084aca5f85af76e7cab0b0f
Instruction Fuzzy Hash: 70118EB060420CAFD700EB95CC42EAFB7ECEF49308F51007AF604E7681EB389D0186A8

Uniqueness

Uniqueness Score: -1.00%

Function 00412ED8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 00412EFA
GetSystemMetrics.USER32 ref: 00412F4B

Strings

\)P, xrefs: 00412F25

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: LocaleMetricsSystemThread
String ID: \)P
API String ID: 3035471613-3049963737
Opcode ID: f1529f4f3e982c8e6eb539465a84f6e727f9ce11be0cf3805865be927159e22a
Instruction ID: 50cd9c9b77890bafca8ea87f72a24f18ef828198aef6e3af61819e877b2cc8b6
Opcode Fuzzy Hash: f1529f4f3e982c8e6eb539465a84f6e727f9ce11be0cf3805865be927159e22a
Instruction Fuzzy Hash: 7801D6702042518ADB109E2695853A37BE5AB51315F08C0ABED48CF3D7DABDC8D6D3B9

Uniqueness

Uniqueness Score: -1.00%

Function 004FD28C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 004B00AC: GetCurrentProcess.KERNEL32(00000028), ref: 004B00BC
Part of subcall function 004B00AC: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004B00C2

SetForegroundWindow.USER32(?), ref: 004FD2C5

Strings

Not restarting Windows because Uninstall is being run from the debugger., xrefs: 004FD2FC
Restarting Windows., xrefs: 004FD29C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: 96529cc31a45527a3be0a4759eb50d0f5700797e19f6739869a7adae3deddeab
Instruction ID: d1f48b287f888cff443f9a9cc7583872310ba117a82dfd622287828ac23461ad
Opcode Fuzzy Hash: 96529cc31a45527a3be0a4759eb50d0f5700797e19f6739869a7adae3deddeab
Instruction Fuzzy Hash: 46115A34A041489FD701EB65E945BAD33E5AF49308F554077FA01A73A2C77CAC459B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0044AAAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,00000000,0044AB2B,?,?,?,00000000), ref: 0044AAC9
SetTimer.USER32(?,00000001,?,00000000), ref: 0044AAEB

Part of subcall function 00408D5C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408DA1

Strings

8B, xrefs: 0044AB06

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Timer$KillLoadString
String ID: 8B
API String ID: 1423459280-4165284811
Opcode ID: 362e4a23cb43d9372a30521bb4898daafb715d1de82e01c60341028aaecc1448
Instruction ID: b9c06d8f07b52db84a512ba5dd8922f7f6612851b00a9a57e0db484b0ae24fa4
Opcode Fuzzy Hash: 362e4a23cb43d9372a30521bb4898daafb715d1de82e01c60341028aaecc1448
Instruction Fuzzy Hash: 0401D430350240AFEB21EF61CD86F5A37ADEB08748F5005A6FE00AB2D6D679BC50C65D

Uniqueness

Uniqueness Score: -1.00%

Function 004380F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44threadCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?), ref: 0043812B
SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00438095), ref: 00438138

Strings

X`P, xrefs: 004380FF

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: CompareExchangeInterlockedSwitchThread
String ID: X`P
API String ID: 3384000618-2474155081
Opcode ID: f4ae14c70a5bbde5847d0e2af1d60944898d8ced8394b342272b69a43e0bbee8
Instruction ID: a684994c5c8966657b84c01853d2f82025a43701f920f47f23174a89fcf2eaf0
Opcode Fuzzy Hash: f4ae14c70a5bbde5847d0e2af1d60944898d8ced8394b342272b69a43e0bbee8
Instruction Fuzzy Hash: 97F0FC722097845AEB2115199C41B3AA699DBC6371F35163FF098872D1C92D4C43836A

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC78, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042DCC6
GetSystemMetrics.USER32 ref: 0042DCD8

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(77400000,00000000), ref: 0042DA08

Strings

MonitorFromPoint, xrefs: 0042DC8A

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: c206c6802f49a28d527c846d294ff08559927eed22d090e7df17a883bf7e1f71
Instruction ID: c196b6dbe358f2d2bbcfebf0ee2a54d3fef1980992c31caf8b94c3b9d6220515
Opcode Fuzzy Hash: c206c6802f49a28d527c846d294ff08559927eed22d090e7df17a883bf7e1f71
Instruction Fuzzy Hash: D901A271B082246FDB004F52FC48B5FBB59FBA4355F90801BF9049B251C2F59C48DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB28, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042DB79
GetSystemMetrics.USER32 ref: 0042DB85

Part of subcall function 0042D96C: GetProcAddress.KERNEL32(77400000,00000000), ref: 0042DA08

Strings

MonitorFromRect, xrefs: 0042DB3D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: f5d85c7e71d0c9417e1827471a2e6bf2f603beb8a552f53d0b11e2b1a6a850b0
Instruction ID: 908d55ac1df62638f4d21ea26ee818da5ecf9f520e84bc79be8dc3c796858caa
Opcode Fuzzy Hash: f5d85c7e71d0c9417e1827471a2e6bf2f603beb8a552f53d0b11e2b1a6a850b0
Instruction Fuzzy Hash: 9701A232B103649BD7108B14E899B9BBF9DE750361F994052E904CF347C2B8EC889BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004FDDEC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 004DEED0: FreeLibrary.KERNEL32(?,004FDE18,00000000,004FDE27,?,?,?,?,?,004FE903), ref: 004DEEE6

Part of subcall function 004DEAEC: GetTickCount.KERNEL32 ref: 004DEB34

Part of subcall function 004B2054: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 004B2073

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,004FE903), ref: 004FDE41
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,004FE903), ref: 004FDE47

Strings

Detected restart. Removing temporary directory., xrefs: 004FDDFB

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 6be13c5cc4cdbd5350a372fd4f9851076ee7480567fea7ec74461a7536726691
Instruction ID: 5c652130c74be1b4518fb524f9ea07f6a8bccad035dd6fa265c4fe7db097e18b
Opcode Fuzzy Hash: 6be13c5cc4cdbd5350a372fd4f9851076ee7480567fea7ec74461a7536726691
Instruction Fuzzy Hash: 65E02B72A08A486DE6123BB77C1697B7B9ED757728B51083BF3048A643CA2D5C14D23C

Uniqueness

Uniqueness Score: -1.00%

Function 00452924, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0045293F
GetKeyState.USER32(00000011), ref: 00452950

Strings

, xrefs: 0045295F

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 7d93798c207586ada7ae01befcddc06c46c426bd79fde4a8b4352762cc2e625d
Instruction ID: e5f2dde1b85970a6f7d963af67b364511ef951f9b4c27a929f10f444735450ec
Opcode Fuzzy Hash: 7d93798c207586ada7ae01befcddc06c46c426bd79fde4a8b4352762cc2e625d
Instruction Fuzzy Hash: CCE022A2700A4602FB11757A1D103EB17D04F537AAF0806AFBEC03A2C3E1DE0E0A90A9

Uniqueness

Uniqueness Score: -1.00%

Function 004395AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(DWMAPI.DLL,?,?,00439672,?,00461693), ref: 004395D2

Strings

DWMAPI.DLL, xrefs: 004395CD
DwmIsCompositionEnabled, xrefs: 004395EA

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: LibraryLoad
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 1029625771-2128843254
Opcode ID: f522c6db7636a78b0fb4951b1d1f8cd1b4d5f1cbe338c0086e8703c7932d1cb0
Instruction ID: d9ddd3255d6c6f21e8be2380f661a2a9546a3235c066a32dca0437954f0ef390
Opcode Fuzzy Hash: f522c6db7636a78b0fb4951b1d1f8cd1b4d5f1cbe338c0086e8703c7932d1cb0
Instruction Fuzzy Hash: 12F0B7B1603210DEF721AB64ACDD75F3294971C305F00502BA925962A1C7BC0C89EF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00480A80, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00480B10: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,00480A8E,?,00000001,00000000,004E2A27,-00000010,?,00000004,0000001C,00000000,004E2CF7), ref: 00480B1E

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,00000001,00000000,004E2A27,-00000010,?,00000004,0000001C,00000000,004E2CF7,?,004B9C20,00000000,004E2D5F), ref: 00480A98

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

ShutdownBlockReasonCreate, xrefs: 00480A8E
user32.dll, xrefs: 00480A93

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 1883125708-2866557904
Opcode ID: cba206176e321c2248df8f07573990aafbe82fc30c36031109e3db0fced35097
Instruction ID: 79447cd1c673bd27a84cde0503538fed572911d91e3c84c19a2cc8397376a013
Opcode Fuzzy Hash: cba206176e321c2248df8f07573990aafbe82fc30c36031109e3db0fced35097
Instruction Fuzzy Hash: 74E0C2227307203A828572BE0C91E2F008C8EE165D3250C3BF011E2243D9ADCC0A43AD

Uniqueness

Uniqueness Score: -1.00%

Function 0047F76C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,004AE3B7,00000000,004AE485,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004AE8AA), ref: 0047F788

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

GetSystemWow64DirectoryW, xrefs: 0047F77E
kernel32.dll, xrefs: 0047F783

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 1646373207-1816364905
Opcode ID: eb526a96aee00dbf9922fd1fc3311155f8d221ae4800e0dbb879c4833c95c512
Instruction ID: 412d5bacbf79827374aefda064c0b559e41995f1cda14a6537f5920562d1a11a
Opcode Fuzzy Hash: eb526a96aee00dbf9922fd1fc3311155f8d221ae4800e0dbb879c4833c95c512
Instruction Fuzzy Hash: C8E04F7574070122E7187A7A4CC3A9B628A4BC4718F21C83F7D58E62C2EDBDD85991AE

Uniqueness

Uniqueness Score: -1.00%

Function 00480B10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,00480A8E,?,00000001,00000000,004E2A27,-00000010,?,00000004,0000001C,00000000,004E2CF7), ref: 00480B1E

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

ShutdownBlockReasonDestroy, xrefs: 00480B14
user32.dll, xrefs: 00480B19

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: a7eb69d71fc96fd2ddc9f0547160bb4e08446ee1fd4729be9739ec2ba6458bc7
Instruction ID: 2959378bc619908520cc3192cfb0d83b3cedef6012161ff5f635b626915d44a1
Opcode Fuzzy Hash: a7eb69d71fc96fd2ddc9f0547160bb4e08446ee1fd4729be9739ec2ba6458bc7
Instruction Fuzzy Hash: E9D0C77277171226569035FD1CD1E9F41CC4E5029D3250C77F600E2141D65DEC0553AC

Uniqueness

Uniqueness Score: -1.00%

Function 00457DBC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32(00000001,0045B36D,?,?,004A7FD4), ref: 00457DBF
SetCapture.USER32(00000000,00000001,0045B36D,?,?,004A7FD4), ref: 00457DF7

Strings

0bE, xrefs: 00457DD1

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: Capture$Release
String ID: 0bE
API String ID: 1520983071-2320990392
Opcode ID: 6d2a8108a6fcb73d0560affb8cef7f23f52f332879f379de645f4867c20330a3
Instruction ID: 683dfa72efed88b53fae5c14e3780d24a01f109073a4d945c3f91bb0a2f9337b
Opcode Fuzzy Hash: 6d2a8108a6fcb73d0560affb8cef7f23f52f332879f379de645f4867c20330a3
Instruction Fuzzy Hash: AAE0B6A07143415BDF90AFBAECC562676B8AF5830AB90047FAD44D7263DB38CC9C9618

Uniqueness

Uniqueness Score: -1.00%

Function 00437D2C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ole32.dll,?,00437DC6), ref: 00437D32

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

ole32.dll, xrefs: 00437D2D
CoWaitForMultipleHandles, xrefs: 00437D3D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CoWaitForMultipleHandles$ole32.dll
API String ID: 1646373207-2593175619
Opcode ID: 35b0bef4dfc9659daad810b61a3aab729d95fe9c41ec001c443472eedbd0cf14
Instruction ID: 0149acf13786976e2a4af3a01f736d63f69722109c54f667bd01582105e5bde7
Opcode Fuzzy Hash: 35b0bef4dfc9659daad810b61a3aab729d95fe9c41ec001c443472eedbd0cf14
Instruction Fuzzy Hash: 52D0A7F05843865ED3302F70ACC1B3F22886F28305F10352BA24015246CFBC4808E209

Uniqueness

Uniqueness Score: -1.00%

Function 004FE938, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,005015C1,00000001,00000000,005015E7,?,?,000000EC,00000000), ref: 004FE942

Part of subcall function 00409620: GetProcAddress.KERNEL32(?,?), ref: 00409644

Strings

DisableProcessWindowsGhosting, xrefs: 004FE938
user32.dll, xrefs: 004FE93D

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: b750718c54b1d66c76d5268335dadb66959e94e7d35c1e60bece79ba6f437278
Instruction ID: f581f122bcf6faacbdd4851cc66fbe71bba6765382ad350e4d823a968a8ec416
Opcode Fuzzy Hash: b750718c54b1d66c76d5268335dadb66959e94e7d35c1e60bece79ba6f437278
Instruction Fuzzy Hash: 5DB092E024030B20E89036B30C02F7E0988098070AB20082B3710E01E6DDEDC801903E

Uniqueness

Uniqueness Score: -1.00%

Function 004B0150, Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 004B016F
Sleep.KERNEL32(?), ref: 004B017F
GetLastError.KERNEL32 ref: 004B0192
GetLastError.KERNEL32 ref: 004B019C

Memory Dump Source

Source File: 00000001.00000002.340374383.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340362088.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341198837.0000000000500000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341233193.0000000000502000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341291866.0000000000505000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341310077.0000000000506000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341332675.000000000050A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341347705.000000000050D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341380600.000000000050F000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341407627.0000000000513000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341467893.0000000000526000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sfk_setup.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 8aed3ecdaa6076ae5b8c1427ed8a7739de09f5a3d5432152b7e74c50d0b4f5de
Instruction ID: 92681db64e874939f8d1900fd927e10286de231ff93eb9788c8e0b68939e36e1
Opcode Fuzzy Hash: 8aed3ecdaa6076ae5b8c1427ed8a7739de09f5a3d5432152b7e74c50d0b4f5de
Instruction Fuzzy Hash: 2DF05073A01214775B38A59F8D419DFB65DDA4175671002ABF444D7305D93FCD4243BC

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: spmm.exe PID: 5340 Parent PID: 6448 spmm.exeCOMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	505
Total number of Limit Nodes:	12

Executed Functions

Function 00409AC4, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409AC4(intOrPtr _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t23 = 1;
				L00402564();
				GetLocaleInfoW( *(_a4 - 0x210) & 0x0000ffff, 3,  *(_a4 - 0x210),  *(_a4 - 0x214));
				_t17 = E004099DC(_a4); // executed
				if(_t17 == 0) {
					( *(_a4 - 0x210))[2] = 0;
					_t22 = E004099DC(_a4); // executed
					if(_t22 == 0) {
						_t23 = 0;
					}
				}
				return _t23;
			}

0x00409ac8
0x00409ae0
0x00409ae9
0x00409af2
0x00409afa
0x00409b05
0x00409b0f
0x00409b17
0x00409b19
0x00409b19
0x00409b17
0x00409b1f

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,?,00000000,?,00409C88,?,?,?,00000000,00000105,00000000,00409CBF), ref: 00409AE0
GetLocaleInfoW.KERNEL32(?,00000003,?,?,00000000,?,00409C88,?,?,?,00000000,00000105,00000000,00409CBF), ref: 00409AE9

Part of subcall function 004099DC: FindFirstFileW.KERNEL32(?,?,00000000), ref: 004099F6

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: DefaultFileFindFirstInfoLanguageLocaleUser
String ID:
API String ID: 2528734723-0
Opcode ID: 6070996e72b8730603dd300d3539cce128b8e7cda205c3e71a24095bfd099dfa
Instruction ID: ee886066074a640b9d9ddc2bd07d8be33443f373718229fe16f736281ef7ddbd
Opcode Fuzzy Hash: 6070996e72b8730603dd300d3539cce128b8e7cda205c3e71a24095bfd099dfa
Instruction Fuzzy Hash: 92F030752012056FDF00DE9DD8D89A677E8BB14364F40406AF94CDB392C675ED418B64

Uniqueness

Uniqueness Score: -1.00%

Function 004099DC, Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004099DC(intOrPtr _a4) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t8;
				signed int _t10;
				signed int _t11;

				_t8 = FindFirstFileW(_a4 + 0xfffffdf6,  &_v596); // executed
				_t11 = _t10 & 0xffffff00 | _t8 != 0xffffffff;
				if(_t11 != 0) {
					_push(_t8);
					E0040252C();
				}
				return _t11;
			}

0x004099f6
0x004099fe
0x00409a03
0x00409a05
0x00409a06
0x00409a06
0x00409a11

APIs

FindFirstFileW.KERNEL32(?,?,00000000), ref: 004099F6

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 16ed7c153c117beebc382fc64e0873b44ff44f21401ab52c57d64de878d53720
Instruction ID: c8a9dbe6f994e8374959f60b0de4a5bdfe188818da721705f4e738c07e5ade3b
Opcode Fuzzy Hash: 16ed7c153c117beebc382fc64e0873b44ff44f21401ab52c57d64de878d53720
Instruction Fuzzy Hash: 9CD02B7250110833CA2099BC5C99A8F734C5B01334B4807677958E33C1FA35D910059C

Uniqueness

Uniqueness Score: -1.00%

Function 00409670, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 156
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00409670(char __eax, void* __ebx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t49;
				void* _t61;
				long _t82;
				long _t84;
				long _t86;
				void* _t90;
				intOrPtr _t96;
				intOrPtr _t98;
				void* _t102;
				void* _t103;
				intOrPtr _t104;

				_t102 = _t103;
				_t104 = _t103 + 0xfffffde4;
				_t90 = __edx;
				_v8 = __eax;
				L00406EC4(_v8);
				_push(_t102);
				_push(0x409855);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104;
				if(_v8 != 0) {
					lstrcpynW( &_v542, E00406F68(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L16:
					_pop(_t96);
					 *[fs:eax] = _t96;
					_push(E0040985C);
					return L00406ECC( &_v8);
				} else {
					_v12 = 0;
					_t49 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t49 == 0) {
						L8:
						_push(_t102);
						_push(0x409838);
						_push( *[fs:eax]);
						 *[fs:eax] = _t104;
						E00409474( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, 0x40990c, 0, 0, 0,  &_v20) == 0) {
								_v12 = E0040429C(_v20);
								RegQueryValueExW(_v16, 0x40990c, 0, 0, _v12,  &_v20);
								E00407098(_t90, _v12);
							}
						} else {
							_v12 = E0040429C(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00407098(_t90, _v12);
						}
						_pop(_t98);
						 *[fs:eax] = _t98;
						_push(0x40983f);
						if(_v12 != 0) {
							E004042B8(_v12);
						}
						_t61 = _v16;
						_push(_t61);
						E004025C4();
						return _t61;
					} else {
						_t82 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t82 == 0) {
							goto L8;
						} else {
							_t84 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t84 == 0) {
								goto L8;
							} else {
								_t86 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t86 != 0) {
									goto L16;
								} else {
									goto L8;
								}
							}
						}
					}
				}
			}

0x00409671
0x00409673
0x0040967a
0x0040967c
0x00409682
0x00409689
0x0040968a
0x0040968f
0x00409692
0x00409699
0x004096c5
0x0040969b
0x004096a9
0x004096a9
0x004096d2
0x0040983f
0x00409841
0x00409844
0x00409847
0x00409854
0x004096d8
0x004096da
0x004096f2
0x004096f9
0x00409759
0x0040975b
0x0040975c
0x00409761
0x00409764
0x00409772
0x00409793
0x004097e2
0x004097ec
0x00409804
0x0040980e
0x0040980e
0x00409795
0x0040979d
0x004097b7
0x004097c1
0x004097c1
0x00409815
0x00409818
0x0040981b
0x00409824
0x00409829
0x00409829
0x0040982e
0x00409831
0x00409832
0x00409837
0x004096fb
0x00409710
0x00409717
0x00000000
0x00409719
0x0040972e
0x00409735
0x00000000
0x00409737
0x0040974c
0x00409753
0x00000000
0x00000000
0x00000000
0x00000000
0x00409753
0x00409735
0x00409717
0x004096f9

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00409855,?,00000000), ref: 004096A9
lstrcpynW.KERNEL32(?,00000000,00000105,00000000,00409855,?,00000000), ref: 004096C5
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409855,?,00000000), ref: 004096F2
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409855), ref: 00409710
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?), ref: 0040972E
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040974C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00409838,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000), ref: 0040978C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,00409838,?,80000001), ref: 004097B7
RegQueryValueExW.ADVAPI32(?,0040990C,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409838,?,80000001), ref: 004097DB
RegQueryValueExW.ADVAPI32(?,0040990C,00000000,00000000,?,?,?,0040990C,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00409804

Strings

Software\Borland\Locales, xrefs: 00409724
Software\Borland\Delphi\Locales, xrefs: 00409742
Software\CodeGear\Locales, xrefs: 004096E8, 00409706

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: OpenQueryValue$FileModuleNamelstrcpyn
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 290084891-345420546
Opcode ID: 9d0eff0f3586b37220f78447d8b6b99970837f4eab4bad7314dff4b5ee591c2a
Instruction ID: 3007717e43c8ff548d1e7313995b60d7fba9788091498b26deda09e4ce277851
Opcode Fuzzy Hash: 9d0eff0f3586b37220f78447d8b6b99970837f4eab4bad7314dff4b5ee591c2a
Instruction Fuzzy Hash: 47510675A50208BEEB10EAA5CC56FAE73ACDB05704F604477B604F62C2D6B89E44CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 6.1, APIs: 4, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00409B20(char __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				short _v526;
				char _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				char _v548;
				char _v552;
				char _v556;
				signed short _t56;
				signed short _t59;
				signed short _t60;
				signed short _t69;
				intOrPtr _t81;
				signed int _t85;
				signed int _t86;
				intOrPtr* _t91;
				void* _t93;
				void* _t96;

				_t95 = _t96;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v556 = 0;
				_v552 = 0;
				_v548 = 0;
				_t93 = __ecx;
				_v544 = __edx;
				_v540 = __eax;
				L00406EC4(_v540);
				L00406EC4(_v544);
				_t91 =  &_v532;
				_push(_t96);
				_push(0x409cbf);
				 *[fs:eax] = _t96 + 0xfffffdd8;
				E00406EDC(__ecx, 0,  *[fs:eax]);
				_t69 = 0;
				lstrcpynW( &_v526, E00406F68(_v544), 0x105);
				 *_t91 = lstrlenW( &_v526) + _t40 +  &_v526 - 2;
				while( *((short*)( *_t91)) != 0x2e &&  &_v526 !=  *_t91) {
					 *_t91 =  *_t91 - 2;
				}
				if( &_v526 !=  *_t91) {
					 *_t91 =  *_t91 + 2;
					 *((short*)( *_t91)) = 0;
					_t85 =  *_t91 -  &_v526;
					_t86 = _t85 >> 1;
					if(_t85 < 0) {
						asm("adc edx, 0x0");
					}
					_v536 = 0x105 - _t86;
					_t56 = E00409670(_v540, _t69,  &_v548); // executed
					if(_v548 == 0) {
						L00402564();
						E0040932C(_t56, _t69,  &_v552, _t91, _t93);
						_t59 = E00409A14(_v552, _t69, _t91, _t93, _t95); // executed
						_t69 = _t59;
						if(_t69 == 0 &&  *0x599b58 == 0) {
							L0040258C();
							E0040932C(_t59, _t69,  &_v556, _t91, _t93);
							_t69 = E00409A14(_v556, _t69, _t91, _t93, _t95);
						}
						if(_t69 == 0) {
							_t60 = E00409AC4(_t95); // executed
							_t69 = _t60;
						}
					} else {
						_t69 = E00409A14(_v548, _t69, _t91, _t93, _t95);
					}
				}
				if(_t69 != 0) {
					E004070EC(_t93, 0x105,  &_v526);
				}
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(E00409CC6);
				return L00406ED4( &_v556, 5);
			}

0x00409b21
0x00409b29
0x00409b2a
0x00409b2b
0x00409b2e
0x00409b34
0x00409b3a
0x00409b40
0x00409b42
0x00409b48
0x00409b54
0x00409b5f
0x00409b64
0x00409b6c
0x00409b6d
0x00409b75
0x00409b7c
0x00409b81
0x00409b9b
0x00409bb9
0x00409bc0
0x00409bbd
0x00409bbd
0x00409bda
0x00409be0
0x00409be5
0x00409bf2
0x00409bf4
0x00409bf6
0x00409bf8
0x00409bf8
0x00409c02
0x00409c14
0x00409c20
0x00409c34
0x00409c3f
0x00409c4a
0x00409c50
0x00409c54
0x00409c60
0x00409c6b
0x00409c7c
0x00409c7c
0x00409c80
0x00409c83
0x00409c89
0x00409c89
0x00409c22
0x00409c2f
0x00409c2f
0x00409c20
0x00409c8d
0x00409c9c
0x00409c9c
0x00409ca3
0x00409ca6
0x00409ca9
0x00409cbe

APIs

lstrcpynW.KERNEL32(?,00000000,00000105,00000000,00409CBF,?,?,?,00000000), ref: 00409B9B
lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,00409CBF,?,?,?,00000000), ref: 00409BA7
GetUserDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,00409CBF,?,?,?,00000000), ref: 00409C34
GetSystemDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,00409CBF,?,?,?,00000000), ref: 00409C60

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: DefaultLanguage$SystemUserlstrcpynlstrlen
String ID:
API String ID: 3749826553-0
Opcode ID: 0d1e1ffebd8f80a951e6f8b80dfa27e851314d7392455f668c1fcfa3c2e4bbb6
Instruction ID: d17f82ca85c5cdec2f0abc452757c0c13818f680428626e620e62c3ebbacc4e9
Opcode Fuzzy Hash: 0d1e1ffebd8f80a951e6f8b80dfa27e851314d7392455f668c1fcfa3c2e4bbb6
Instruction Fuzzy Hash: A3419571A043199BD720DB69EC897CAB3F5AF48314F5005FAE408B72D2DB786E808E5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041495C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041495C(void* __eax) {
				signed char _t8;
				long _t15;
				void* _t16;

				_t16 = __eax;
				_t8 = GetFileAttributesW(E00406F68(__eax)); // executed
				if(_t8 == 0xffffffff) {
					_t15 = GetLastError();
					if(_t15 == 2 || _t15 == 3 || _t15 == 0x7b || E0041491C(_t16) == 0) {
						return 0;
					} else {
						return 1;
					}
				}
				return _t8 & 0xffffff00 | (_t8 & 0x00000010) == 0x00000000;
			}

0x0041495e
0x00414968
0x00414970
0x0041497f
0x00414984
0x00000000
0x0041499f
0x00000000
0x0041499f
0x00414984
0x00414979

APIs

GetFileAttributesW.KERNEL32(00000000,?,00000001,0044C2A1,0044C3CE,00000000,0044C404,?,?,00000000,00000000,00000000,00000000,?,0044C227,0044C489), ref: 00414968
GetLastError.KERNEL32(00000000,?,00000001,0044C2A1,0044C3CE,00000000,0044C404,?,?,00000000,00000000,00000000,00000000,?,0044C227,0044C489), ref: 0041497A

Strings

{, xrefs: 0041498B

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID: {
API String ID: 1799206407-366298937
Opcode ID: 4146cc8576144736cb9b0cb3923772710183fc9c21747fbc234cd1e53fa61904
Instruction ID: fd6e9434aefb07574495d3e3ac9fe6941b8627144b9c833ac751b20a94b44d16
Opcode Fuzzy Hash: 4146cc8576144736cb9b0cb3923772710183fc9c21747fbc234cd1e53fa61904
Instruction Fuzzy Hash: ECE04FF2231221054D2420FD58CA2EF034488C53E93241A67F851E32D2D31D4DD212ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403968, Relevance: 3.8, APIs: 3, Instructions: 32
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403968() {
				signed int _t3;

				if( *0x597055 != 0) {
					while(1) {
						_t3 = E004027C8(0);
						if(_t3 == 0) {
							goto L6;
						}
						if( *0x5978dd != 0) {
							continue;
						} else {
							Sleep(0);
							_t3 = E004027C8(0);
							if(_t3 != 0) {
								Sleep(0xa);
								continue;
							}
						}
						goto L6;
					}
				}
				L6:
				if( *0x599ae0 == 0) {
					_t3 = VirtualAlloc(0, 0x10000, 0x1000, 4); // executed
					 *0x599ae0 = _t3;
				}
				return _t3 & 0xffffff00 |  *0x599ae0 != 0x00000000;
			}

0x0040396f
0x0040399c
0x004039a5
0x004039ac
0x00000000
0x00000000
0x0040397a
0x00000000
0x0040397c
0x0040397e
0x0040398c
0x00403993
0x00403997
0x00000000
0x00403997
0x00403993
0x00000000
0x0040397a
0x0040399c
0x004039ae
0x004039b5
0x004039c5
0x004039ca
0x004039ca
0x004039d9

APIs

Sleep.KERNEL32(00000000), ref: 0040397E
Sleep.KERNEL32(0000000A,00000000), ref: 00403997
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004), ref: 004039C5

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: Sleep$AllocVirtual
String ID:
API String ID: 3510833457-0
Opcode ID: 2db918622c12b1b43e7a4a55d6d95db6737fc6618c19896b34a5f0431a54d179
Instruction ID: 535e89559772e6164b01432cd784d2a2cb50b5f1589ed873aa466a658651c593
Opcode Fuzzy Hash: 2db918622c12b1b43e7a4a55d6d95db6737fc6618c19896b34a5f0431a54d179
Instruction Fuzzy Hash: 86F0A7A061834059EF11AB755D0EB5A2AC5A71578EF01053FA1013F2D1C7FD4548E35E

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF83, Relevance: 3.1, APIs: 2, Instructions: 75
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,?), ref: 0040C000
GetProcAddress.KERNEL32(?,00000000), ref: 0040C022

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 98de7b284bf15df69ad069188a9edb2b2b81aff34d761054db3d8418c9e2c970
Instruction ID: 38183c811676228782f372cc6e1be71cdd9e012810f8ffa96d87d906dea23c55
Opcode Fuzzy Hash: 98de7b284bf15df69ad069188a9edb2b2b81aff34d761054db3d8418c9e2c970
Instruction Fuzzy Hash: 1921367050C285DBCB11DF6048C1A5A3F44EB4A340B114AF7F851A7EC7E73C490AC75A

Uniqueness

Uniqueness Score: -1.00%

Function 00409910, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00409910(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x4099ca);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00407098( &_v536, _t49);
				_push(_v536);
				E004070EC( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E00409B20(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E00406F68(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E004099D1);
				L00406ED4( &_v540, 2);
				return L00406ECC( &_v8);
			}

0x0040991d
0x00409923
0x00409929
0x0040992c
0x00409930
0x00409931
0x00409936
0x00409939
0x0040994c
0x00409959
0x00409964
0x00409976
0x00409984
0x00409985
0x0040998e
0x0040999d
0x004099a2
0x004099a6
0x004099a9
0x004099ac
0x004099bc
0x004099c9

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004099CA,?,00400000,0058F9FC), ref: 0040994C

Part of subcall function 00409B20: lstrcpynW.KERNEL32(?,00000000,00000105,00000000,00409CBF,?,?,?,00000000), ref: 00409B9B
Part of subcall function 00409B20: lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,00409CBF,?,?,?,00000000), ref: 00409BA7

LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004099CA,?,00400000,0058F9FC), ref: 0040999D

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: FileLibraryLoadModuleNamelstrcpynlstrlen
String ID:
API String ID: 2912033995-0
Opcode ID: 0fc7cbb966b62f8c1965a4f160ae8c24184398c5f533de506291cb89663fbd22
Instruction ID: eaee773932d0887a65d71e5a74e0d2d25e271b404bccf1986841b843cc2e0f4d
Opcode Fuzzy Hash: 0fc7cbb966b62f8c1965a4f160ae8c24184398c5f533de506291cb89663fbd22
Instruction Fuzzy Hash: 77118270A4421C9BDB14EB60CC96BDD73B8EB08304F5140BFB508B32D1DA785F848A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB36, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0040CB36(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t31;
				long _t38;

				_push(_t31);
				_v8 = _t31;
				_t38 = __eax;
				_t13 = E00404788();
				_t24 = CreateWindowExW(_t38, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00404778(_t13);
				return _t24;
			}

0x0040cb3b
0x0040cb3f
0x0040cb44
0x0040cb46
0x0040cb77
0x0040cb80
0x0040cb8c

APIs

CreateWindowExW.USER32 ref: 0040CB77

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5661d2120d672029efef46fe572fda2284235a7269b1bc028f57fb20ffdf4639
Instruction ID: 63bd54346a2bf05658814b0353dc011533eeb19b037e5cfadd59b65fb66c3250
Opcode Fuzzy Hash: 5661d2120d672029efef46fe572fda2284235a7269b1bc028f57fb20ffdf4639
Instruction Fuzzy Hash: A4F097B6700118BF9B40DE9DDC81EDB77ECEB4D264B454129FA0CE3201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408AB4, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408AB4(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameW( *_t3,  &_v532, 0x20a);
					_t14 = E00409910(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x00408abc
0x00408abe
0x00408ac2
0x00408ace
0x00408ad2
0x00408adb
0x00408ae0
0x00408ae2
0x00408ae7
0x00408ae9
0x00408aec
0x00408aec
0x00408ae7
0x00408aef
0x00408afa

APIs

GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 00408AD2

Part of subcall function 00409910: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004099CA,?,00400000,0058F9FC), ref: 0040994C
Part of subcall function 00409910: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004099CA,?,00400000,0058F9FC), ref: 0040999D

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 9d395ffd40331b3e71ea0a3a2682e1b358aa860d0ec12e2a232b99f9009bdc38
Instruction ID: 8bb5c00dff575b5ab43b3b5d267abfeafb8fb0ca9fc303762ee77e0d218b627c
Opcode Fuzzy Hash: 9d395ffd40331b3e71ea0a3a2682e1b358aa860d0ec12e2a232b99f9009bdc38
Instruction Fuzzy Hash: 07E0EDB1A003109FCF10DE68C9C5A4737D4AB08755F0449AAAD54DF387E775DD108BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A62E, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0040A62E() {
				void* _t5;
				struct _SYSTEM_INFO* _t6;

				0x2940004();
				_t6 = _t5 + 0xffffffdc;
				GetSystemInfo(_t6); // executed
				return _t6->dwNumberOfProcessors;
			}

0x0040a630
0x0040a638
0x0040a63c
0x0040a648

APIs

GetSystemInfo.KERNEL32 ref: 0040A63C

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: efb7aef27c7d322248a843b19fc98fd4a12c21f35c0b128e0e0d8874cf21a979
Instruction ID: 708764fc21134024ee5fd9aecae345842daa2a04fd6c71c732e5d9cbb74ee80f
Opcode Fuzzy Hash: efb7aef27c7d322248a843b19fc98fd4a12c21f35c0b128e0e0d8874cf21a979
Instruction Fuzzy Hash: 6DB09B5470550107CA08B77D5D4644B72C05B40618BC406347569D63C2FD6DD967459F

Uniqueness

Uniqueness Score: -1.00%

Function 00409A14, Relevance: 1.3, APIs: 1, Instructions: 57
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00409A14(char __eax, void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v9;
				void* _t24;
				WCHAR* _t29;
				intOrPtr _t33;
				WCHAR* _t35;
				signed int _t37;
				void* _t40;

				_v8 = __eax;
				L00406EC4(_v8);
				_push(_t40);
				_push(0x409ab1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40 + 0xfffffff8;
				_v9 = 1;
				_t29 = E00406F68(_v8);
				while( *_t29 != 0) {
					_t35 = _t29;
					while(1) {
						_t37 =  *_t29 & 0x0000ffff;
						if(_t37 == 0x2c || _t37 == 0) {
							break;
						}
						_t29 =  &(_t29[1]);
					}
					if( *_t29 == 0x2c) {
						 *_t29 = 0;
						_t29 =  &(_t29[1]);
					}
					lstrcpynW( *(_a4 - 0x210), _t35,  *(_a4 - 0x214));
					_t24 = E004099DC(_a4); // executed
					if(_t24 == 0) {
						continue;
					}
					L10:
					_pop(_t33);
					 *[fs:eax] = _t33;
					_push(E00409AB8);
					return L00406ECC( &_v8);
				}
				_v9 = 0;
				goto L10;
			}

0x00409a1d
0x00409a23
0x00409a2a
0x00409a2b
0x00409a30
0x00409a33
0x00409a36
0x00409a42
0x00409a91
0x00409a46
0x00409a4d
0x00409a4d
0x00409a54
0x00000000
0x00000000
0x00409a4a
0x00409a4a
0x00409a5f
0x00409a61
0x00409a66
0x00409a66
0x00409a7e
0x00409a87
0x00409a8f
0x00000000
0x00000000
0x00409a9b
0x00409a9d
0x00409aa0
0x00409aa3
0x00409ab0
0x00409ab0
0x00409a97
0x00000000

APIs

lstrcpynW.KERNEL32(?,00000000,?,00000000,00409AB1,?,?,?,00000000), ref: 00409A7E

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: lstrcpyn
String ID:
API String ID: 97706510-0
Opcode ID: 78263b6cd3f4980ffb2e3f531d674eec8fa5a46a7d8b74f7e7b43e215b66d91e
Instruction ID: 177231fdedc1b1bfed317e7ff88e999e2b9ae120c315e758433dd1db180f0c76
Opcode Fuzzy Hash: 78263b6cd3f4980ffb2e3f531d674eec8fa5a46a7d8b74f7e7b43e215b66d91e
Instruction Fuzzy Hash: 8011E371600244EECF21DBA9C886AAA77E8EB45750F5100BBF800A73C2D7B85D008B69

Uniqueness

Uniqueness Score: -1.00%

Function 00402A60, Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00402A60(signed int __eax, void* __edx) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void* _t10;
				void** _t16;
				void* _t18;

				_t8 = __eax;
				E004029F4(__eax, __edx);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x597a44 = 0;
					return 0;
				} else {
					_t16 =  *0x597a30; // 0x36c0000
					_t10 = _t4;
					 *_t10 = 0x597a2c;
					 *0x597a30 = _t4;
					 *(_t10 + 4) = _t16;
					 *_t16 = _t4;
					_t18 = _t4 + 0x13fff0;
					 *((intOrPtr*)(_t18 - 4)) = 2;
					 *0x597a44 = 0x13ffe0 - _t8;
					_t7 = _t18 - _t8;
					 *0x597a40 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x00402a61
0x00402a63
0x00402a76
0x00402a7d
0x00402ace
0x00402ad6
0x00402a7f
0x00402a7f
0x00402a85
0x00402a87
0x00402a8d
0x00402a92
0x00402a95
0x00402a99
0x00402aa4
0x00402ab1
0x00402ab9
0x00402abb
0x00402ac8
0x00402acb
0x00402acb

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004), ref: 00402A76

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4846e254d0793c8cb1b214bb7aaaabbc1047cad3d99677a9d84f30508bd41ba8
Instruction ID: 7bbd792122153792c09c3726b0ad07163880fffdca4fcbdc706172aa92377014
Opcode Fuzzy Hash: 4846e254d0793c8cb1b214bb7aaaabbc1047cad3d99677a9d84f30508bd41ba8
Instruction Fuzzy Hash: C3F0A9F0B253004BDB148F788E4430A7AD2F789308F20917FE509DB7E8EBB584099B04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409474, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 152
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00409474(WCHAR* __eax, int __edx) {
				WCHAR* _v8;
				int _v12;
				WCHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t104;
				signed int _t105;
				intOrPtr* _t106;
				WCHAR* _t113;
				WCHAR* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleW(L"kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 =  &(_v8[2]);
						goto L10;
					} else {
						if(_v8[1] == 0x5c) {
							_t116 = E00409450( &(_v8[2]));
							if( *_t116 != 0) {
								_t17 = _t116 + 2; // 0x2
								_t115 = E00409450(_t17);
								if( *_t115 != 0) {
									L10:
									_t104 = _t115 - _v8;
									_t105 = _t104 >> 1;
									if(_t104 < 0) {
										asm("adc ebx, 0x0");
									}
									lstrcpynW( &_v1134, _v8, _t105 + 1);
									while( *_t115 != 0) {
										_t113 = E00409450( &(_t115[1]));
										_t53 = _t113 - _t115;
										_t54 = _t53 >> 1;
										if(_t53 < 0) {
											asm("adc eax, 0x0");
										}
										if(_t54 + _t105 + 1 <= 0x105) {
											_t59 = _t113 - _t115;
											_t60 = _t59 >> 1;
											if(_t59 < 0) {
												asm("adc eax, 0x0");
											}
											lstrcpynW( &_v1134 + _t105 + _t105, _t115, _t60 + 1);
											_v20 = FindFirstFileW( &_v1134,  &_v612);
											if(_v20 != 0xffffffff) {
												_push(_v20);
												E0040252C();
												if(lstrlenW( &(_v612.cFileName)) + _t105 + 1 + 1 <= 0x105) {
													 *((short*)(_t117 + _t105 * 2 - 0x46a)) = 0x5c;
													lstrcpynW( &(( &_v1134 + _t105 + _t105)[1]),  &(_v612.cFileName), 0x105 - _t105 - 1);
													_t105 = _t105 + lstrlenW( &(_v612.cFileName)) + 1;
													_t115 = _t113;
													continue;
												}
											}
										}
										goto L23;
									}
									lstrcpynW(_v8,  &_v1134, _v12);
								}
							}
						}
					}
				} else {
					_t106 = GetProcAddress(_v20, "GetLongPathNameW");
					if(_t106 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t106() == 0) {
							goto L4;
						} else {
							lstrcpynW(_v8,  &_v1134, _v12);
						}
					}
				}
				L23:
				return _v16;
			}

0x00409480
0x00409483
0x00409489
0x00409496
0x0040949d
0x004094e2
0x004094e9
0x00409529
0x00000000
0x004094eb
0x004094f3
0x00409504
0x0040950a
0x00409510
0x00409518
0x0040951e
0x0040952c
0x0040952e
0x00409531
0x00409533
0x00409535
0x00409535
0x00409547
0x00409616
0x00409559
0x0040955d
0x0040955f
0x00409561
0x00409563
0x00409563
0x0040956e
0x00409576
0x00409578
0x0040957a
0x0040957c
0x0040957c
0x0040958f
0x004095a7
0x004095ae
0x004095b7
0x004095b8
0x004095d4
0x004095d6
0x00409600
0x00409612
0x00409614
0x00000000
0x00409614
0x004095d4
0x004095ae
0x00000000
0x0040956e
0x0040962f
0x0040962f
0x0040951e
0x0040950a
0x004094f3
0x0040949f
0x004094ad
0x004094b1
0x00000000
0x004094b3
0x004094b3
0x004094be
0x004094c2
0x004094c7
0x00000000
0x004094c9
0x004094d8
0x004094d8
0x004094c7
0x004094b1
0x00409634
0x0040963d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 00409491
GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 004094A8
lstrcpynW.KERNEL32(?,?,?), ref: 004094D8
lstrcpynW.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 00409547
lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 0040958F
FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 004095A2
lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 004095C4
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?), ref: 00409600
lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 0040960C
lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 0040962F

Strings

\, xrefs: 004095D6
kernel32.dll, xrefs: 0040948C
GetLongPathNameW, xrefs: 0040949F

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: lstrcpyn$lstrlen$AddressFileFindFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1668964249-3908791685
Opcode ID: 90f5d1168820c66d5a0e7d800a6ba545af019bdadc45a9112cab7e45387bf16b
Instruction ID: b0458d12d30f735748fdb9854b6cddb6803970ac539c7554719e865fcdb4230d
Opcode Fuzzy Hash: 90f5d1168820c66d5a0e7d800a6ba545af019bdadc45a9112cab7e45387bf16b
Instruction Fuzzy Hash: D5515272D00119ABCB10EAA9CD89ADEB3BCAB04314F1445B6A514F72D2E778DE45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 02700A64, Relevance: 9.2, Strings: 7, Instructions: 485COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
"jC, xrefs: 02700AFD
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$"jC$6tB$~LJ$_I$sG$uC
API String ID: 0-3049397370
Opcode ID: 573f0c3faef05a42ff3b65b34a032bf1bd166a3cc4b9f9f2ee394c109cae913b
Instruction ID: 917f64f6cb88bd4f09b4c48f9865644eee63ac8199341cc205a67eb0ebc66813
Opcode Fuzzy Hash: 573f0c3faef05a42ff3b65b34a032bf1bd166a3cc4b9f9f2ee394c109cae913b
Instruction Fuzzy Hash: 66E1893390C315DF8704CD78DCC4AEA7B95EAC5230B45873AE926BB1D8E721A94EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700A91, Relevance: 9.2, Strings: 7, Instructions: 470COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
"jC, xrefs: 02700AFD
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$"jC$6tB$~LJ$_I$sG$uC
API String ID: 0-3049397370
Opcode ID: 8abc6b5df00c8eec142d6a71b12e7615e5c733e144aa4fc59b7ca1cc46d7a7d9
Instruction ID: 423ff51b83d1dbc3f60da68e824345c2ee3f739a112b6e5966f2aea947f026c2
Opcode Fuzzy Hash: 8abc6b5df00c8eec142d6a71b12e7615e5c733e144aa4fc59b7ca1cc46d7a7d9
Instruction Fuzzy Hash: F0E1893350C315DF8304CD78DCC4AEA7B95EAC5234B45873AE926BB1D8E721A94EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700A9A, Relevance: 9.2, Strings: 7, Instructions: 465COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
"jC, xrefs: 02700AFD
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$"jC$6tB$~LJ$_I$sG$uC
API String ID: 0-3049397370
Opcode ID: 108f9082fad96a02814ef3eff30e2e40da1fabc6d7fdc2cacfae31ce6602fd8c
Instruction ID: 77a07891eeb11519ed1c0988ac11930373e48ea50cbdc9d626326b66905bc208
Opcode Fuzzy Hash: 108f9082fad96a02814ef3eff30e2e40da1fabc6d7fdc2cacfae31ce6602fd8c
Instruction Fuzzy Hash: A4E1883390C315DF8304CD78DCC4AEA7B95EAC5234B45873AE926BB1D8E721A94EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700AB6, Relevance: 9.2, Strings: 7, Instructions: 455COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
"jC, xrefs: 02700AFD
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$"jC$6tB$~LJ$_I$sG$uC
API String ID: 0-3049397370
Opcode ID: 89a51bac6851c031cd8ef74a6b778d2b5f9fe52c75b5b1a979e13404a54d5315
Instruction ID: f93944d82da05353d6c96605c221d285d2fb143a4f3d2fa87412ffc5846ca586
Opcode Fuzzy Hash: 89a51bac6851c031cd8ef74a6b778d2b5f9fe52c75b5b1a979e13404a54d5315
Instruction Fuzzy Hash: CEE16933508315DF8304CD78DCC4AEA7B95EAC5234B45873AE926BB1D8E721A94EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700AC2, Relevance: 9.2, Strings: 7, Instructions: 453COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
"jC, xrefs: 02700AFD
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$"jC$6tB$~LJ$_I$sG$uC
API String ID: 0-3049397370
Opcode ID: f6025138dabe21dda09de5c90af33a71beab294e6522cb21822e46c8dac21f0c
Instruction ID: 2dc9d305ea8a267f6fe38441815f7e87c15576cbe6a253f6ddd8f8565f7338f4
Opcode Fuzzy Hash: f6025138dabe21dda09de5c90af33a71beab294e6522cb21822e46c8dac21f0c
Instruction Fuzzy Hash: 4CD17933908319DF8304CD78DCC4AEA7B95EAC5234B45873AE926BB1D8E721690EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700ACF, Relevance: 9.2, Strings: 7, Instructions: 449COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
"jC, xrefs: 02700AFD
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$"jC$6tB$~LJ$_I$sG$uC
API String ID: 0-3049397370
Opcode ID: 42750f4d3bf7ae4adb8a2979a3733591c5cf5283888c61e546382d9b52aae9db
Instruction ID: d735ffd952f7a4e6bdeed64855138756d41fa5a8ab1e27af92468290477f25a6
Opcode Fuzzy Hash: 42750f4d3bf7ae4adb8a2979a3733591c5cf5283888c61e546382d9b52aae9db
Instruction Fuzzy Hash: E9D16933508319DF8304DD78DCC4AEA7B95EBC5234B45873AE926BB1D8E721A90EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700ADF, Relevance: 9.2, Strings: 7, Instructions: 444COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
"jC, xrefs: 02700AFD
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$"jC$6tB$~LJ$_I$sG$uC
API String ID: 0-3049397370
Opcode ID: 0f6ccee18bcec3a5c27615770e4acb139fa624131a600fc6246860a09bb8af2b
Instruction ID: 42196c3feeab6c549fad1169388772aac2f19cabc08c0c50e9d6aa3b503fba01
Opcode Fuzzy Hash: 0f6ccee18bcec3a5c27615770e4acb139fa624131a600fc6246860a09bb8af2b
Instruction Fuzzy Hash: 37D17A33908319DF8304DD78DCC4AEA7B95EBC5234B45873AE926BB1D8E721690EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700AF4, Relevance: 9.2, Strings: 7, Instructions: 438COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
"jC, xrefs: 02700AFD
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$"jC$6tB$~LJ$_I$sG$uC
API String ID: 0-3049397370
Opcode ID: 77f109315592b19a41cfe406a4ea5521b98706cced6dc9da0ce150fcc42519dc
Instruction ID: 17f814dc24a9882f7418219e5d2e34a31f35d5d3ca0bcee6b4ed19489d6df2a1
Opcode Fuzzy Hash: 77f109315592b19a41cfe406a4ea5521b98706cced6dc9da0ce150fcc42519dc
Instruction Fuzzy Hash: 34D17A33908319DF8304DD78DCC4AE67B95EBC5234B45873AE926B71D8E721690EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700B0B, Relevance: 7.9, Strings: 6, Instructions: 431COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: 008319be1edf6780a9b956f6448b9401b8780b65789fad694acb41d28fde1fca
Instruction ID: 59c9de3f2e3905112b8a4bef0e400e8b76cc9fe9bf5888004eef057c9960bf04
Opcode Fuzzy Hash: 008319be1edf6780a9b956f6448b9401b8780b65789fad694acb41d28fde1fca
Instruction Fuzzy Hash: 1AD17933908315DF8304CD78DCC4AEA7B95EBC5234B45873AE926771D8E7616A0EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700B28, Relevance: 7.9, Strings: 6, Instructions: 423COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: 0e4b0805b1580ae0d2e3e5265419e2d86d701dd7c4d0ef2395e573fb64eea390
Instruction ID: 10335a7ce5dabee8860074d48d4f728b895fe978acbf4afe3fd1c519d1672759
Opcode Fuzzy Hash: 0e4b0805b1580ae0d2e3e5265419e2d86d701dd7c4d0ef2395e573fb64eea390
Instruction Fuzzy Hash: C8D1793390C315DF8308DD78DCC4AEA7B95EAC5230B55873AE926BB1D8E761690EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700B31, Relevance: 7.9, Strings: 6, Instructions: 420COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: 8efba42eab57b229d5ff71ceebb1837173c5ab52b576f4e837a7133138ea48e3
Instruction ID: 79fe728d548b5b61569a969cc8523cfaad5af07630c8f5f859cdfeadcc34d6e8
Opcode Fuzzy Hash: 8efba42eab57b229d5ff71ceebb1837173c5ab52b576f4e837a7133138ea48e3
Instruction Fuzzy Hash: C5D17933908315DF8308DD78DCC4AEA7B95EBC5230B45873AE926BB1D8E761690EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700B3E, Relevance: 7.9, Strings: 6, Instructions: 417COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: 02ac8a48df6984e14bdac2f0c2c44e703df44507142823241056d58417af0790
Instruction ID: 586629f35fad4e86c9615eaeddc3c3c33a6e80d64d3a2f6be70f7baa3c61d23a
Opcode Fuzzy Hash: 02ac8a48df6984e14bdac2f0c2c44e703df44507142823241056d58417af0790
Instruction Fuzzy Hash: AFD16933908319DF8708DD78DCC4AEA7B95EAC5230B45873AE926BB1D8E761650EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700B43, Relevance: 7.9, Strings: 6, Instructions: 415COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: 03edbc912f6db6af175c0c257d4e66510e6868a80b6e9113aba3a1f44d50dddd
Instruction ID: f69637c3781e00fd7e1359ee09fb9fa90ac8903a638e251d410507e1a04a1e98
Opcode Fuzzy Hash: 03edbc912f6db6af175c0c257d4e66510e6868a80b6e9113aba3a1f44d50dddd
Instruction Fuzzy Hash: 84C16933908315DF8708DD78DC84AEA7B95EAC5230B45873AE926BB1D8E761650EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700B4A, Relevance: 7.9, Strings: 6, Instructions: 413COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: 030a83301ef89ef72c8a2202ee92e57f7bec03e39b5418bbf37577b2a0d3f48a
Instruction ID: 6d0ace01742a0fdc0e66432d86e226ef2fcded6fd09874971a03f107a969faa9
Opcode Fuzzy Hash: 030a83301ef89ef72c8a2202ee92e57f7bec03e39b5418bbf37577b2a0d3f48a
Instruction Fuzzy Hash: DAC16833908315DF8708DD7CDC84AEA7B95EBC5230B45873AE926BB1D8E761690EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700B62, Relevance: 7.9, Strings: 6, Instructions: 401COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: c12a1aaffc8f188d237a42e34a07cfaa6e82e0f7faf4d6960e0488c2525bf91e
Instruction ID: 0c17a3c9885735fb8f48104bb724b774cb2549ed1bbc701f468c484a59fe2f88
Opcode Fuzzy Hash: c12a1aaffc8f188d237a42e34a07cfaa6e82e0f7faf4d6960e0488c2525bf91e
Instruction Fuzzy Hash: 30C16733908319DB8708DD7CDCC4AEA7B95EAC5230B45873AE926BB1D8E721650EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700BD0, Relevance: 7.9, Strings: 6, Instructions: 389COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: 8ea6a5fc117dd271bb1fda30a737e78a0dc2548c92e287e3921a32a445c89c9d
Instruction ID: 40d201195714203c053ecfbca1982e7d2af1ba3021b85b2be0d2ddb34383860f
Opcode Fuzzy Hash: 8ea6a5fc117dd271bb1fda30a737e78a0dc2548c92e287e3921a32a445c89c9d
Instruction Fuzzy Hash: FFC17733908319DB8708DD7CDCC4AEA7B95DBC6230B45873AE9267B1D8EB21650EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700BC4, Relevance: 7.9, Strings: 6, Instructions: 367COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: a9a8593d4fc6920570652d9d0aef34a6ba539335cb52213d7f4f8c015fe0e36a
Instruction ID: 582ae2983ebf843e62e99bfd8cf4855f6715471d941f60d57a17c520399d5928
Opcode Fuzzy Hash: a9a8593d4fc6920570652d9d0aef34a6ba539335cb52213d7f4f8c015fe0e36a
Instruction Fuzzy Hash: B0B17833908319DB8708DD7CDCC4AEA7B91EBC5230B45873AE926BB1D8E721650EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700BEE, Relevance: 7.9, Strings: 6, Instructions: 354COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
~LJ, xrefs: 02700BF5
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$~LJ$_I$sG$uC
API String ID: 0-2670346637
Opcode ID: 23bb5f6c486264c77f36a6544cba235905844e22cc359209f0d55e6b0dc36442
Instruction ID: 5fa8cd7c9063b322407f8d5e03be546171beb4961de8b9fcebade1c5ad760494
Opcode Fuzzy Hash: 23bb5f6c486264c77f36a6544cba235905844e22cc359209f0d55e6b0dc36442
Instruction Fuzzy Hash: 89B18933908715DB8708DD7CDC84AEA7B91DBC6230B46873BE926BB1D8E721650EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700C2E, Relevance: 6.6, Strings: 5, Instructions: 333COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: 3c541d962c23a151a6331adf584151af8a4bca91ca6e8d0479e310717e9fa076
Instruction ID: a2b170f9e909dd6dd5849e4ad9ebc49802cf9ff5231acea236ac1ece9e7ff81b
Opcode Fuzzy Hash: 3c541d962c23a151a6331adf584151af8a4bca91ca6e8d0479e310717e9fa076
Instruction Fuzzy Hash: 4EA16733908315DB8708D97CDC84AEA7B91EBC5270B46873EE926771D8EB21660EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700C39, Relevance: 6.6, Strings: 5, Instructions: 329COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: 994f2a0c94c513805c799e258837d80fcc27ba9cebc7ea3de7f52bb8561482fd
Instruction ID: c30c8f2d5614f821e7158c566973d8cd9b1145a0dbc9e15ae9462cc796cf3f96
Opcode Fuzzy Hash: 994f2a0c94c513805c799e258837d80fcc27ba9cebc7ea3de7f52bb8561482fd
Instruction Fuzzy Hash: F7A16833908715DB8708D97CDC84AEA7B91EBC5230B46873EE926771D8EB21750EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700C57, Relevance: 6.6, Strings: 5, Instructions: 320COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: bd921cbd18729d951764149038eaf4f1d66ff088117accf29be2f75eff90ae09
Instruction ID: 4a4b9275b68b00cfc873751cb3e20ae986fa0a54ef3379185ae60e23d57a284a
Opcode Fuzzy Hash: bd921cbd18729d951764149038eaf4f1d66ff088117accf29be2f75eff90ae09
Instruction Fuzzy Hash: 9CA17833908315DB8708D97CDC84AEA7B91DAC5230B46873AE9667B1D8E721790EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700C8B, Relevance: 6.6, Strings: 5, Instructions: 301COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: a6f3561d69daa660089da6270f2a25cbdeb9bcfc1c128000d6bfaa5debd2f000
Instruction ID: cdf117496dd5015203196b211985dba26e11d28f0778c32bf4cf6c3cef89dc37
Opcode Fuzzy Hash: a6f3561d69daa660089da6270f2a25cbdeb9bcfc1c128000d6bfaa5debd2f000
Instruction Fuzzy Hash: C091773390C329DB8704D97CDC84AEA7B91DAC5270B46873AED66771D8E721760EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700CDA, Relevance: 6.5, Strings: 5, Instructions: 269COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: 4a13e8d098ce7799c96fc57061ecadf6d54598b4ae32ca856413a4b81adea91f
Instruction ID: bc48809d74f4a182b657c21c7e479b873be4b2c69edc7061b02823e5a94c96c9
Opcode Fuzzy Hash: 4a13e8d098ce7799c96fc57061ecadf6d54598b4ae32ca856413a4b81adea91f
Instruction Fuzzy Hash: 38817933908229DB8708DD7CDC84AFA7B91DA85230B46872EE966771C4E7217A0EC2D4

Uniqueness

Uniqueness Score: -1.00%

Function 02700CF3, Relevance: 6.5, Strings: 5, Instructions: 262COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: 9043f31c9f92ca1a22c668c6e7055b2c516551509bfd29dfedcc269864c1234b
Instruction ID: 59f2dc654a7d92e40e1b55d22a1c9e5b41fc9eb88896e289e0ee98dc2523081c
Opcode Fuzzy Hash: 9043f31c9f92ca1a22c668c6e7055b2c516551509bfd29dfedcc269864c1234b
Instruction Fuzzy Hash: F4818933908229DB8708DD7CDC84AFA7B90DA85230B46873EE9667B1D4E7217A0DC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700D00, Relevance: 6.5, Strings: 5, Instructions: 259COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: 52b7fab78bc8a547d3b331dabe9be8da4e542ea8192090e712add8c9c2b8008c
Instruction ID: a0e127cc5ee2ca35d4827bfe4fb986b7cd618dadf625f06f144c7228609c5907
Opcode Fuzzy Hash: 52b7fab78bc8a547d3b331dabe9be8da4e542ea8192090e712add8c9c2b8008c
Instruction Fuzzy Hash: 48818933908325DB8708DD7CDC849FA7B90DA86230B46873EE9667B2D4E7217A0DC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700D11, Relevance: 6.5, Strings: 5, Instructions: 254COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: 2e73df115ad5c5fe1b0d62b46d6a557e733ea6238d6df94254b9463b12cead4e
Instruction ID: 23cd9d85a1fdcdc8d6ba3df144fe788fac516554ab5c7ce2c0a749402c76f945
Opcode Fuzzy Hash: 2e73df115ad5c5fe1b0d62b46d6a557e733ea6238d6df94254b9463b12cead4e
Instruction Fuzzy Hash: D5818933908225DB8708D97CDC849EA7B90DA85230B46873EED667B2D4E721790EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700D42, Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
sG, xrefs: 02700D55
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$sG$uC
API String ID: 0-3780257733
Opcode ID: a4cbc19a6935b75cd568773fcf672960af85e9296afe7588624ad194f540fca8
Instruction ID: a4f1f4f9020fae7d3b67095f12440b76b9772d075239677d54c1f054717d7c50
Opcode Fuzzy Hash: a4cbc19a6935b75cd568773fcf672960af85e9296afe7588624ad194f540fca8
Instruction Fuzzy Hash: 69718A33908225DB8308D97CDC849FA7B95DB85230B46833EED667B2D4E721790EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700D51, Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$uC
API String ID: 0-3092754440
Opcode ID: 0381d60d73077135db12c9250bd970a91bcdf74254e3e6d9b247346aeb89b1ad
Instruction ID: 4587d6d5567eccc0051d1c43428f446c61a3fdab060529726370cbf9cb052c71
Opcode Fuzzy Hash: 0381d60d73077135db12c9250bd970a91bcdf74254e3e6d9b247346aeb89b1ad
Instruction Fuzzy Hash: 4A717B3390C325DB8308D97CDC849EA7B95DA85230B46473EE966BB2D4E721690EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 02700D6C, Relevance: 5.2, Strings: 4, Instructions: 225COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$uC
API String ID: 0-3092754440
Opcode ID: 954059f6186c78e31502ad604bb94fd61d6769596ded17f9777e63c4a2918731
Instruction ID: 84bbb3d3aed4e69ae65243cf9e7a22f2407727d347e5cfc739fefb2ab762fdcc
Opcode Fuzzy Hash: 954059f6186c78e31502ad604bb94fd61d6769596ded17f9777e63c4a2918731
Instruction Fuzzy Hash: 7A617B33908325DB8304D97CDC849FA7B95DB86230B46873EE966772D4E721690EC2D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C946, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbfad88808f456ca115b8012d8d10205520df3680a6730f7ca2ede174d78c84
Instruction ID: 2402eaa03abae75336f01147a727d8ce894e4b00d769ebd4126c3f9523f35958
Opcode Fuzzy Hash: 2bbfad88808f456ca115b8012d8d10205520df3680a6730f7ca2ede174d78c84
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5D6, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef93b465a8e6cf02673f46cf9fcc93dbfb0b7413f301a99c6c21ec287c6aec2d
Instruction ID: e96bdf0d2304e7c0a884b842d2693f53ea508a8db5b1af71c429331035e79085
Opcode Fuzzy Hash: ef93b465a8e6cf02673f46cf9fcc93dbfb0b7413f301a99c6c21ec287c6aec2d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6EE, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d1455ceea73e303d289e2a202ab18880ae87e37a85939bb5c6d6e574ddb773
Instruction ID: d249845f3052daf319edce36210330764747d07f95dc5eeb016cf265dcc72934
Opcode Fuzzy Hash: 99d1455ceea73e303d289e2a202ab18880ae87e37a85939bb5c6d6e574ddb773
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB90, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 62
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CB90(intOrPtr* __eax, int* __ecx, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v12;
				struct HWND__* _t20;
				int* _t31;
				int* _t34;

				_t31 = __ecx;
				_t34 = __edx;
				_v12 = __eax;
				_t20 = FindWindowW(L"MouseZ", L"Magellan MSWHEEL");
				 *_v12 = RegisterClipboardFormatW(L"MSWHEEL_ROLLMSG");
				 *_t34 = RegisterClipboardFormatW(L"MSH_WHEELSUPPORT_MSG");
				 *_t31 = RegisterClipboardFormatW(L"MSH_SCROLL_LINES_MSG");
				if( *_t34 == 0 || _t20 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageW(_t20,  *_t34, 0, 0);
				}
				if( *_t31 == 0 || _t20 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageW(_t20,  *_t31, 0, 0);
				}
				return _t20;
			}

0x0040cb99
0x0040cb9b
0x0040cb9d
0x0040cbaf
0x0040cbbe
0x0040cbca
0x0040cbd6
0x0040cbdb
0x0040cbfa
0x0040cbe1
0x0040cbf1
0x0040cbf1
0x0040cbff
0x0040cc1c
0x0040cc05
0x0040cc15
0x0040cc15
0x0040cc2a

APIs

FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 0040CBAA
RegisterClipboardFormatW.USER32(MSWHEEL_ROLLMSG), ref: 0040CBB6
RegisterClipboardFormatW.USER32(MSH_WHEELSUPPORT_MSG), ref: 0040CBC5
RegisterClipboardFormatW.USER32(MSH_SCROLL_LINES_MSG), ref: 0040CBD1
SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040CBE9
SendMessageW.USER32(00000000,?,00000000,00000000), ref: 0040CC0D

Strings

MSWHEEL_ROLLMSG, xrefs: 0040CBB1
MSH_WHEELSUPPORT_MSG, xrefs: 0040CBC0
MSH_SCROLL_LINES_MSG, xrefs: 0040CBCC
MouseZ, xrefs: 0040CBA5
Magellan MSWHEEL, xrefs: 0040CBA0

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 00ca8b3b802c4422903149f83c459a84204067af59f641bfe259da1c990e4cea
Instruction ID: 5879aaecef96188c322641fe0d06fef35e77c87c0b6ae9f6207ff0057ea84c41
Opcode Fuzzy Hash: 00ca8b3b802c4422903149f83c459a84204067af59f641bfe259da1c990e4cea
Instruction Fuzzy Hash: 381112B1244306EFE314AF65D8C2B66B7E4EF48714F204637B948BB3C1D67998818799

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7BF, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040A7BF(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t63;
				_Unknown_base(*)()* _t65;
				intOrPtr* _t72;
				intOrPtr _t87;
				struct HINSTANCE__* _t91;
				signed int _t100;
				signed int _t102;
				_Unknown_base(*)()* _t109;
				intOrPtr _t113;
				void* _t115;
				void* _t117;

				_t115 = _t117;
				_t113 =  *((intOrPtr*)(_t115 + 8));
				E0040A6BC(_t115 - 0x30, 0, 0x24);
				 *(_t115 - 0x30) = 0x24;
				 *((intOrPtr*)(_t115 - 0x2c)) = _t113;
				_t100 =  *(_t115 + 0xc);
				 *(_t115 - 0x28) = _t100;
				 *(_t115 - 0x24) =  *(_t113 + 4);
				_t91 =  *(_t113 + 8);
				 *(_t115 - 4) = E0040A73A( *(_t115 + 0xc),  *((intOrPtr*)(_t113 + 0xc)));
				_t63 = ( *(_t115 - 4) << 2) +  *((intOrPtr*)(_t113 + 0x10));
				_t102 = (_t100 & 0xffffff00 | (_t63[0] & 0x00000080) == 0x00000000) & 0x00000001;
				 *(_t115 - 0x20) = _t102;
				if(_t102 == 0) {
					 *(_t115 - 0x1c) =  *_t63 & 0x0000ffff;
				} else {
					 *(_t115 - 0x1c) =  *_t63 + 2;
				}
				_t109 = 0;
				if( *0x58f9f0 == 0) {
					L6:
					if(_t91 != 0) {
						L20:
						 *(_t115 - 0x18) = _t91;
						if( *0x58f9f0 != 0) {
							_t109 =  *0x58f9f0(2, _t115 - 0x30);
						}
						if(_t109 != 0) {
							L30:
							if(_t109 == 0) {
								 *((intOrPtr*)(_t115 - 0x10)) = GetLastError();
								if( *0x58f9ec != 0) {
									_t109 =  *0x58f9ec(4, _t115 - 0x30);
								}
								if(_t109 == 0) {
									 *(_t115 - 0xc) = _t115 - 0x30;
									RaiseException(0xc0fb007f, 0, 1, _t115 - 0xc);
									_t109 =  *((intOrPtr*)(_t115 - 0x14));
								}
							}
							 *( *(_t115 + 0xc)) = _t109;
							goto L36;
						} else {
							if( *((intOrPtr*)(_t113 + 0x14)) == 0 ||  *((intOrPtr*)(_t113 + 0x1c)) == 0) {
								L29:
								_t109 = GetProcAddress(_t91,  *(_t115 - 0x1c));
								goto L30;
							} else {
								_t72 = E0040A766(_t91);
								_t111 = _t72;
								if( *_t72 != 0x4550 || E0040A796(_t111) !=  *((intOrPtr*)(_t113 + 0x1c)) || E0040A7A3(_t111, _t91) == 0) {
									goto L29;
								} else {
									E0040A773( *((intOrPtr*)(_t113 + 0xc)),  *((intOrPtr*)(_t113 + 0x14)));
									_t109 =  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0xc)) +  *(_t115 - 4) * 4));
									goto L36;
								}
							}
						}
					}
					if( *0x58f9f0 != 0) {
						_t91 =  *0x58f9f0(1, _t115 - 0x30);
					}
					if(_t91 == 0) {
						_t91 = LoadLibraryA( *(_t115 - 0x24));
					}
					if(_t91 != 0) {
						L16:
						_push(0x599c24);
						L004024AC();
						if( *(_t113 + 8) != 0) {
							_push(_t91);
							E0040253C();
							_t91 =  *(_t113 + 8);
						} else {
							E0040A6D8(_t113);
							 *(_t113 + 8) = _t91;
						}
						_push(0x599c24);
						L004024B4();
						goto L20;
					} else {
						 *((intOrPtr*)(_t115 - 0x10)) = GetLastError();
						if( *0x58f9ec != 0) {
							_t91 =  *0x58f9ec(3, _t115 - 0x30);
						}
						if(_t91 != 0) {
							goto L16;
						} else {
							 *(_t115 - 8) = _t115 - 0x30;
							RaiseException(0xc0fb007e, 0, 1, _t115 - 8);
							_t65 =  *((intOrPtr*)(_t115 - 0x14));
							goto L39;
						}
					}
				} else {
					_t87 =  *0x58f9f0(0, _t115 - 0x30);
					_t109 = _t87;
					if(_t87 == 0) {
						goto L6;
					}
					L36:
					if( *0x58f9f0 != 0) {
						 *((intOrPtr*)(_t115 - 0x10)) = 0;
						 *(_t115 - 0x18) = _t91;
						 *((intOrPtr*)(_t115 - 0x14)) = _t109;
						 *0x58f9f0(5, _t115 - 0x30);
					}
					_t65 = _t109;
					L39:
					return _t65;
				}
			}

0x0040a7bf
0x0040a7c7
0x0040a7d2
0x0040a7da
0x0040a7e1
0x0040a7e4
0x0040a7e7
0x0040a7ed
0x0040a7f0
0x0040a801
0x0040a80a
0x0040a814
0x0040a817
0x0040a81c
0x0040a830
0x0040a81e
0x0040a823
0x0040a823
0x0040a833
0x0040a83c
0x0040a855
0x0040a857
0x0040a8f8
0x0040a8f8
0x0040a902
0x0040a910
0x0040a910
0x0040a914
0x0040a969
0x0040a96b
0x0040a972
0x0040a97c
0x0040a98a
0x0040a98a
0x0040a98e
0x0040a993
0x0040a9a3
0x0040a9a8
0x0040a9a8
0x0040a98e
0x0040a9ae
0x00000000
0x0040a916
0x0040a91a
0x0040a95e
0x0040a967
0x00000000
0x0040a922
0x0040a923
0x0040a928
0x0040a930
0x00000000
0x0040a948
0x0040a94e
0x0040a959
0x00000000
0x0040a959
0x0040a930
0x0040a91a
0x0040a914
0x0040a864
0x0040a872
0x0040a872
0x0040a876
0x0040a880
0x0040a880
0x0040a884
0x0040a8c9
0x0040a8c9
0x0040a8ce
0x0040a8d7
0x0040a8e5
0x0040a8e6
0x0040a8eb
0x0040a8d9
0x0040a8da
0x0040a8e0
0x0040a8e0
0x0040a8ee
0x0040a8f3
0x00000000
0x0040a886
0x0040a88b
0x0040a895
0x0040a8a3
0x0040a8a3
0x0040a8a7
0x00000000
0x0040a8a9
0x0040a8ac
0x0040a8bc
0x0040a8c1
0x00000000
0x0040a8c1
0x0040a8a7
0x0040a83e
0x0040a844
0x0040a84a
0x0040a84e
0x00000000
0x00000000
0x0040a9b0
0x0040a9b7
0x0040a9bb
0x0040a9be
0x0040a9c1
0x0040a9ca
0x0040a9ca
0x0040a9d0
0x0040a9d2
0x0040a9d8
0x0040a9d8

APIs

LoadLibraryA.KERNEL32(?), ref: 0040A87B
GetLastError.KERNEL32 ref: 0040A886
RaiseException.KERNEL32(C0FB007E,00000000,00000001,?), ref: 0040A8BC
RtlEnterCriticalSection.NTDLL(00599C24), ref: 0040A8CE
RtlLeaveCriticalSection.NTDLL(00599C24), ref: 0040A8F3
GetProcAddress.KERNEL32(?,?), ref: 0040A962
GetLastError.KERNEL32 ref: 0040A96D
RaiseException.KERNEL32(C0FB007F,00000000,00000001,?), ref: 0040A9A3

Part of subcall function 0040A6D8: LocalAlloc.KERNEL32(00000040,00000008), ref: 0040A6E4
Part of subcall function 0040A6D8: RaiseException.KERNEL32(C0FB0008,00000000,00000001,?,00000040,00000008), ref: 0040A6F9

Strings

$, xrefs: 0040A7DA

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$CriticalErrorLastSection$AddressAllocEnterLeaveLibraryLoadLocalProc
String ID: $
API String ID: 1857947470-3993045852
Opcode ID: 7a110d1d6c81cfa438b160e41823c8b9c08597847f37c8044b9b172e44e9eec1
Instruction ID: ed984f857f59867d13bf94d7344d8a9a78dc89c5839aba6f9177340da5ed7069
Opcode Fuzzy Hash: 7a110d1d6c81cfa438b160e41823c8b9c08597847f37c8044b9b172e44e9eec1
Instruction Fuzzy Hash: DF61AEB2900306AFDB10EFA5DD85BAEB7B4FB48300F14853AE900B72D0D7789955DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040932C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040932C(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				signed int _t8;
				void* _t16;
				signed short _t26;
				intOrPtr _t32;
				intOrPtr _t44;

				_t39 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t41 = __edx;
				_t26 = __eax;
				_push(_t44);
				_push(0x409431);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44;
				_push(0x599b5c);
				L004024AC();
				if(__eax !=  *0x599b74) {
					L004024B4();
					E00406EDC(__edx, 0, 0x599b5c);
					_push(2);
					_t8 = _t26 & 0x0000ffff;
					_push(_t8);
					E00402594();
					if(_t8 != 0) {
						if( *0x599b58 == 0) {
							_t16 = E0040900C(_t26, _t26, __edx, __edi, __edx);
							L0040258C();
							if(_t26 != _t16) {
								if( *_t41 != 0) {
									_t16 = E00407300(_t41, E0040944C);
								}
								L0040258C();
								E0040900C(_t16, _t26,  &_v8, _t39, _t41);
								E00407300(_t41, _v8);
							}
						} else {
							E0040920C(_t26, __edx);
						}
					}
					_push(0x599b5c);
					L004024AC();
					 *0x599b74 = _t26;
					lstrcpynW(L"en-US,en,", E00406F68( *_t41), 0xaa);
					_push(0x599b5c);
					L004024B4();
				} else {
					E004070EC(__edx, 0x55, L"en-US,en,");
					_push(0x599b5c);
					L004024B4();
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(E00409438);
				return L00406ECC( &_v8);
			}

0x0040932c
0x0040932f
0x00409331
0x00409332
0x00409333
0x00409335
0x00409339
0x0040933a
0x0040933f
0x00409342
0x00409345
0x0040934a
0x00409356
0x0040937d
0x00409386
0x0040938b
0x0040938d
0x00409390
0x00409391
0x00409398
0x004093a1
0x004093b2
0x004093b7
0x004093bf
0x004093c4
0x004093cd
0x004093cd
0x004093d2
0x004093da
0x004093e4
0x004093e4
0x004093a3
0x004093a7
0x004093a7
0x004093a1
0x004093e9
0x004093ee
0x004093f3
0x0040940c
0x00409411
0x00409416
0x00409358
0x00409364
0x00409369
0x0040936e
0x0040936e
0x0040941d
0x00409420
0x00409423
0x00409430

APIs

RtlEnterCriticalSection.NTDLL(00599B5C), ref: 0040934A
RtlLeaveCriticalSection.NTDLL(00599B5C), ref: 0040936E
RtlLeaveCriticalSection.NTDLL(00599B5C), ref: 0040937D
RtlEnterCriticalSection.NTDLL(00599B5C), ref: 004093EE
lstrcpynW.KERNEL32(en-US,en,,00000000,000000AA,00599B5C,00000000,00000002,00599B5C,00599B5C,00000000,00409431,?,?,00000000,00000000,?,00409C44), ref: 0040940C
RtlLeaveCriticalSection.NTDLL(00599B5C), ref: 00409416

Strings

en-US,en,, xrefs: 0040935A, 00409407

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$lstrcpyn
String ID: en-US,en,
API String ID: 3944662818-3579323720
Opcode ID: 48d2154b70423397835dfe6099957c99022bc09db2efda8f65aa42158d3c0224
Instruction ID: 4f8d307dfc16c17b2c21b20d8861c6fd49996873896a80b2f9e0a1fdb7bcc8fb
Opcode Fuzzy Hash: 48d2154b70423397835dfe6099957c99022bc09db2efda8f65aa42158d3c0224
Instruction Fuzzy Hash: 6D218430708214A6EF15B77A9D5776A265A9B88B08F55453FB840B32C3C9BE8C01966E

Uniqueness

Uniqueness Score: -1.00%

Function 004032F0, Relevance: 10.9, APIs: 7, Instructions: 363
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004032F0(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t180;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				void* _t206;
				unsigned int _t208;
				intOrPtr _t214;
				void* _t226;
				intOrPtr _t228;
				void* _t229;
				signed int _t231;
				void* _t233;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				signed int _t242;
				void* _t244;
				intOrPtr* _t245;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t218 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t218);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t226);
							_t245 = _t244 + 0xffffffe0;
							_t219 = __edx;
							_t203 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (_t69 & 0xfffffff0) - 0x14;
							if(_t148 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00402D74(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t219 - 0x40a2c;
										if(_t219 > 0x40a2c) {
											_t78 = _t203 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t219;
										}
										E00402938(_t203, _t219, _t150);
										E004030F8(_t203, _t203, _t226);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								_t180 = (_t148 >> 2) + _t148;
								if(_t180 <= __edx) {
									_t228 = __edx;
								} else {
									_t228 = _t180;
								}
								 *_t245 = _t203 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t245 + 8), _t245 + 8, 0x1c);
								if( *((intOrPtr*)(_t245 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00402D74(_t228);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t228 - 0x40a2c;
										if(_t228 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t219;
										}
										E00402908(_t203,  *((intOrPtr*)(_t203 - 0x10 + 8)), _t150);
										E004030F8(_t203, _t203, _t228);
									}
								} else {
									 *(_t245 + 0x10) =  *(_t245 + 0x10) & 0xffff0000;
									_t94 =  *(_t245 + 0x10);
									if(_t219 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t228 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t245 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t245 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t203 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t219;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t203;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t206 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t226);
						if(__edx > _t171) {
							_t102 =  *(_t206 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t229 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t208 = _t171;
								_t109 = E00402D74(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t193 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t229 - 0x40a2c;
									if(_t229 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t193;
									}
									_t231 = _t109;
									E00402908(_t218, _t208, _t109);
									E004030F8(_t218, _t208, _t231);
									return _t231;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t233 = _t171 + _t115;
								__eflags = __edx - _t233;
								if(__edx > _t233) {
									goto L75;
								} else {
									__eflags =  *0x597055;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00402954(_t206);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t196 = _t233 + 4 - _t123;
										__eflags = _t196;
										if(_t196 > 0) {
											 *(_t218 + _t233 - 4) = _t196;
											 *((intOrPtr*)(_t218 - 4 + _t123)) = _t196 + 3;
											_t234 = _t123;
											__eflags = _t196 - 0xb30;
											if(_t196 >= 0xb30) {
												__eflags = _t123 + _t218;
												E00402994(_t123 + _t218, _t171, _t196);
											}
										} else {
											 *(_t218 + _t233) =  *(_t218 + _t233) & 0xfffffff7;
											_t234 = _t233 + 4;
										}
										_t235 = _t234 | _t156;
										__eflags = _t235;
										 *(_t218 - 4) = _t235;
										 *0x597a3c = 0;
										_t109 = _t218;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x597a3c], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x5978dd;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x597a3c], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t218 - 4);
										_t129 =  *(_t206 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x597a3c = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t233 = _t171 + _t115;
											__eflags = _t176 - _t233;
											if(_t176 > _t233) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t239 = (_t176 + 0x000000d3 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t239;
									__eflags =  *0x597055;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x597a3c], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x5978dd;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x597a3c], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t218 - 4);
										__eflags = 0xf;
									}
									 *(_t218 - 4) = _t156 | _t239;
									_t161 = _t174;
									_t197 =  *(_t206 - 4);
									__eflags = _t197 & 0x00000001;
									if((_t197 & 0x00000001) != 0) {
										_t131 = _t206;
										_t198 = _t197 & 0xfffffff0;
										_t161 = _t161 + _t198;
										_t206 = _t206 + _t198;
										__eflags = _t198 - 0xb30;
										if(_t198 >= 0xb30) {
											E00402954(_t131);
										}
									} else {
										 *(_t206 - 4) = _t197 | 0x00000008;
									}
									 *((intOrPtr*)(_t206 - 8)) = _t161;
									 *((intOrPtr*)(_t218 + _t239 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00402994(_t218 + _t239, _t174, _t161);
									}
									 *0x597a3c = 0;
									return _t218;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t214 = __edx;
										_t140 = E00402D74(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t242 = _t140;
											E00402938(_t218, _t214, _t140);
											E004030F8(_t218, _t214, _t242);
											_t140 = _t242;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00402D74((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E004030F8(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00402D74(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E004030F8(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x004032f0
0x004032f0
0x004032f0
0x004032f8
0x004032fa
0x00403388
0x0040338b
0x004035f8
0x004035f9
0x004035fa
0x004035fd
0x00402c28
0x00402c29
0x00402c2a
0x00402c2b
0x00402c2c
0x00402c2f
0x00402c31
0x00402c38
0x00402c3f
0x00402c44
0x00402d2d
0x00402d2f
0x00402d42
0x00402d44
0x00402d46
0x00402d48
0x00402d4e
0x00402d52
0x00402d52
0x00402d55
0x00402d55
0x00402d5e
0x00402d65
0x00402d65
0x00402d31
0x00402d31
0x00402d36
0x00402d36
0x00402c4a
0x00402c4f
0x00402c53
0x00402c59
0x00402c55
0x00402c55
0x00402c55
0x00402c65
0x00402c74
0x00402c81
0x00402cf3
0x00402cfa
0x00402cfc
0x00402cfe
0x00402d00
0x00402d06
0x00402d0a
0x00402d0a
0x00402d0d
0x00402d0d
0x00402d1d
0x00402d24
0x00402d24
0x00402c83
0x00402c83
0x00402c8f
0x00402c95
0x00000000
0x00402c97
0x00402ca8
0x00402cac
0x00402cae
0x00402cae
0x00402cc4
0x00000000
0x00402cdc
0x00402cde
0x00402ce1
0x00402cec
0x00402cef
0x00402cef
0x00402cc4
0x00402c95
0x00402c81
0x00402d73
0x00403603
0x00403603
0x00403605
0x00403605
0x00403391
0x00403393
0x00403396
0x00403397
0x0040339a
0x0040339d
0x004033a0
0x004033a2
0x004033a3
0x004034b8
0x004034bb
0x004034bd
0x004035b0
0x004035bb
0x004035c2
0x004035c4
0x004035c7
0x004035cc
0x004035cd
0x004035cf
0x00000000
0x004035d1
0x004035d1
0x004035d7
0x004035d9
0x004035d9
0x004035dc
0x004035e4
0x004035eb
0x004035f6
0x004035f6
0x004034c3
0x004034c3
0x004034c6
0x004034c9
0x004034cb
0x00000000
0x004034d1
0x004034d1
0x004034d8
0x00403535
0x00403535
0x0040353a
0x00403540
0x00403545
0x00403546
0x00403546
0x00403552
0x00403563
0x00403569
0x00403569
0x0040356b
0x00403578
0x0040357f
0x00403583
0x00403585
0x0040358b
0x0040358d
0x0040358f
0x0040358f
0x0040356d
0x0040356d
0x00403571
0x00403571
0x00403594
0x00403594
0x00403596
0x00403599
0x004035a0
0x004035a2
0x004035a6
0x004034da
0x004034da
0x004034df
0x004034e7
0x00000000
0x00000000
0x004034e9
0x004034eb
0x004034f2
0x00000000
0x004034f4
0x004034f8
0x004034fd
0x004034fe
0x00403504
0x0040350c
0x00403512
0x00403517
0x00403518
0x00000000
0x00403518
0x0040350c
0x00000000
0x004034f2
0x00403521
0x00403524
0x00403527
0x00403529
0x004035a9
0x004035a9
0x00000000
0x0040352b
0x0040352b
0x0040352e
0x00403531
0x00403533
0x00000000
0x00000000
0x00000000
0x00000000
0x00403533
0x00403529
0x004034d8
0x004034cb
0x004033a9
0x004033ac
0x004033ae
0x004033b8
0x004033be
0x004033d5
0x004033e1
0x004033e7
0x004033e9
0x004033f0
0x004033f2
0x004033f7
0x004033ff
0x00000000
0x00000000
0x00403401
0x00403403
0x0040340a
0x00000000
0x0040340c
0x0040340f
0x00403414
0x0040341a
0x00403422
0x00403427
0x0040342c
0x00000000
0x0040342c
0x00403422
0x00000000
0x0040340a
0x00403435
0x00403435
0x00403435
0x0040343a
0x0040343d
0x0040343f
0x00403442
0x00403445
0x00403450
0x00403452
0x00403455
0x00403457
0x00403459
0x0040345f
0x00403461
0x00403461
0x00403447
0x0040344a
0x0040344a
0x00403466
0x0040346c
0x00403470
0x00403476
0x0040347d
0x0040347d
0x00403482
0x0040348f
0x004033c0
0x004033c0
0x004033c6
0x00403490
0x00403494
0x00403499
0x0040349b
0x0040349d
0x004034a5
0x004034ac
0x004034b1
0x004034b1
0x004034b7
0x004033cc
0x004033cc
0x004033d1
0x004033d3
0x00000000
0x00000000
0x00000000
0x00000000
0x004033d3
0x004033c6
0x004033b0
0x004033b0
0x004033b4
0x004033b4
0x004033ae
0x004033a3
0x00403300
0x00403300
0x00403302
0x00403306
0x00403309
0x0040330b
0x00403344
0x00403348
0x00403349
0x0040334b
0x0040334d
0x0040334f
0x00403352
0x00403354
0x00403356
0x0040335b
0x0040335d
0x0040335f
0x00403365
0x00403367
0x00403367
0x0040336e
0x0040336e
0x00403371
0x00403373
0x0040337c
0x00403381
0x00403381
0x00403383
0x00403384
0x00403385
0x00403386
0x0040330d
0x0040330d
0x00403314
0x00403316
0x0040331c
0x0040331e
0x00403320
0x00403325
0x00403327
0x00403329
0x0040332b
0x0040332d
0x00403338
0x0040333d
0x0040333d
0x0040333f
0x00403340
0x00403341
0x00403318
0x00403318
0x00403319
0x0040331a
0x0040331a
0x00403316
0x0040330b

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2519001bbe53a856954d5ff1204ddf016e075d543b23461ffc9e4afeefeda3a
Instruction ID: 830e0e2c5989ead2a219bcc26cbe98a3398f87e04286f0fbad3ba547db580ebb
Opcode Fuzzy Hash: c2519001bbe53a856954d5ff1204ddf016e075d543b23461ffc9e4afeefeda3a
Instruction Fuzzy Hash: 2FB154627002000BE3159E7D9D8976EBB89DBC4326F18823FE514EB3D5DABCCE469358

Uniqueness

Uniqueness Score: -1.00%

Function 00402D74, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402D74(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t140;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t140 = __eax + 3 >> 3;
				_t129 =  *0x597055; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00402AD8(_t96, _t140, _t147);
								_t99 =  *0x599ad4; // 0x599ad0
								 *_t147 = 0x599ad0;
								 *0x599ad4 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x599acc = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x597a3c], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x5978dd;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x597a3c], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t141 = _t125 - 0xb30;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x597a4c + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x597a48;
							if((0xfffffffe << _t132 &  *0x597a48) == 0) {
								_t133 =  *0x597a44; // 0x31780
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00402A60(_t125, _t142);
								} else {
									_t110 =  *0x597a40; // 0x36f1790
									_t109 = _t110 - _t125;
									 *0x597a40 = _t109;
									 *0x597a44 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x597a3c = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x597acc + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x597a4c + _t142 * 4;
								 *_t80 =  *(0x597a4c + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x597a48], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00402994(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							 *(_t159 - 4) = _t125 + 2;
							 *0x597a3c = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					__eax =  *(__edx + 0x5978e4) & 0x000000ff;
					__ebx = 0x58f080 + ( *(__edx + 0x5978e4) & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x5978dd;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 4);
					__eax =  *(__edx + 8);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x10);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0xc);
						if(__eax >  *(__ebx + 0xc)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x597055;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x597a3c], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x5978dd;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x597a3c], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x597a48;
							__eflags =  *(__ebx + 1) &  *0x597a48;
							if(( *(__ebx + 1) &  *0x597a48) == 0) {
								__ecx =  *(__ebx + 0x18) & 0x0000ffff;
								__edi =  *0x597a44; // 0x31780
								__eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff);
								if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) {
									__eax =  *(__ebx + 0x1a) & 0x0000ffff;
									__edi = __eax;
									__eax = E00402A60(__eax, __edx);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x597a3c = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x597a40; // 0x36f1790
									__ecx =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x597a44 =  *0x597a44 - __edi;
									 *0x597a40 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x597a4c + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x597a4c + __eax * 4) + __eax * 8 * 4;
								__edi = 0x597acc + ( *(0x597a4c + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x597a4c + __eax * 4;
									 *_t38 =  *(0x597a4c + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x597a48], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00402994(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x31786
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x597a3c = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 8)) = 0;
								 *((intOrPtr*)(__esi + 0xc)) = 1;
								 *(__ebx + 0x10) = __esi;
								_t61 = __esi + 0x20; // 0x36f17b0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 8) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0xc) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0xc;
							 *_t19 =  *(__edx + 0xc) + 1;
							__eflags =  *_t19;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0xc) =  *(__edx + 0xc) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 8) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 4);
							 *(__ecx + 0x14) = __ebx;
							 *(__ebx + 4) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00402d77
0x00402d80
0x00402d86
0x00402fd4
0x00402fd9
0x004030ec
0x004030ed
0x004030ef
0x00402b20
0x00402b24
0x00402b30
0x00402b45
0x00402b49
0x00402b4b
0x00402b4d
0x00402b53
0x00402b56
0x00402b5b
0x00402b60
0x00402b66
0x00402b6c
0x00402b6f
0x00402b71
0x00402b78
0x00402b78
0x00402b81
0x004030f5
0x004030f5
0x004030f7
0x004030f7
0x00402fdf
0x00402feb
0x00402fee
0x00402ff0
0x00402f98
0x00402f9d
0x00402fa5
0x00000000
0x00000000
0x00402fa7
0x00402fa9
0x00402fb0
0x00000000
0x00402fb2
0x00402fb4
0x00402fbe
0x00402fc6
0x00402fca
0x00000000
0x00402fca
0x00402fc6
0x00000000
0x00402fb0
0x00402f98
0x00402ff2
0x00402ff2
0x00402ffa
0x00402ffd
0x00403007
0x00403007
0x0040300e
0x00403021
0x00403025
0x0040302b
0x00403044
0x0040304a
0x0040304a
0x0040304c
0x0040306a
0x0040304e
0x0040304e
0x00403053
0x00403055
0x0040305a
0x00403063
0x00403063
0x0040306f
0x00403077
0x0040302d
0x0040302d
0x00403037
0x0040303f
0x00000000
0x0040303f
0x00403010
0x00403013
0x00403016
0x00403078
0x00403078
0x00403079
0x0040307a
0x00403081
0x00403084
0x00403087
0x0040308a
0x0040308c
0x0040308e
0x00403095
0x00403097
0x00403097
0x00403097
0x0040309e
0x004030a0
0x004030a0
0x0040309e
0x004030ac
0x004030b1
0x004030b1
0x004030b3
0x004030d4
0x004030d4
0x004030d4
0x004030b5
0x004030b5
0x004030bb
0x004030be
0x004030c2
0x004030c8
0x004030ca
0x004030ca
0x004030c8
0x004030dc
0x004030df
0x004030eb
0x004030eb
0x0040300e
0x00402d8c
0x00402d8c
0x00402d8e
0x00402d95
0x00402d9c
0x00402df4
0x00402df4
0x00402df9
0x00402dfd
0x00000000
0x00000000
0x00402dff
0x00402dff
0x00402e02
0x00402e07
0x00402e0b
0x00402e0d
0x00402e0d
0x00402e10
0x00402e15
0x00402e19
0x00402e1b
0x00402e1e
0x00402e20
0x00402e27
0x00000000
0x00402e29
0x00402e2b
0x00402e30
0x00402e35
0x00402e39
0x00402e41
0x00000000
0x00402e41
0x00402e39
0x00402e27
0x00402e19
0x00000000
0x00402e0b
0x00402df4
0x00402d9e
0x00402d9e
0x00402da1
0x00402da4
0x00402da9
0x00402dab
0x00402dc4
0x00402dc7
0x00402dcb
0x00402dcd
0x00402dd0
0x00402e48
0x00402e49
0x00402e4a
0x00402e51
0x00402e53
0x00402e53
0x00402e58
0x00402e60
0x00000000
0x00000000
0x00402e62
0x00402e64
0x00402e6b
0x00000000
0x00402e6d
0x00402e6f
0x00402e74
0x00402e79
0x00402e81
0x00402e85
0x00000000
0x00402e85
0x00402e81
0x00000000
0x00402e6b
0x00402e53
0x00402e8c
0x00402e90
0x00402e90
0x00402e96
0x00402f08
0x00402f0c
0x00402f12
0x00402f14
0x00402f3c
0x00402f40
0x00402f42
0x00402f47
0x00402f49
0x00402f4b
0x00000000
0x00402f4d
0x00402f4d
0x00402f52
0x00402f54
0x00402f55
0x00402f56
0x00402f57
0x00402f57
0x00402f16
0x00402f16
0x00402f1c
0x00402f20
0x00402f26
0x00402f28
0x00402f2a
0x00402f2a
0x00402f2c
0x00402f2e
0x00402f34
0x00000000
0x00402f34
0x00402e98
0x00402e98
0x00402e9b
0x00402ea2
0x00402ea9
0x00402eac
0x00402eaf
0x00402eb6
0x00402eb9
0x00402ebc
0x00402ebf
0x00402ec1
0x00402ec3
0x00402ec5
0x00402eca
0x00402ecc
0x00402ecc
0x00402ecc
0x00402ed3
0x00402ed5
0x00402ed5
0x00402ed3
0x00402edc
0x00402ee1
0x00402ee4
0x00402eea
0x00402f58
0x00402f58
0x00402f58
0x00402eec
0x00402eec
0x00402eee
0x00402ef2
0x00402ef4
0x00402ef7
0x00402efa
0x00402efd
0x00402f01
0x00402f01
0x00402f5d
0x00402f5d
0x00402f5d
0x00402f60
0x00402f63
0x00402f65
0x00402f6a
0x00402f6c
0x00402f6f
0x00402f76
0x00402f79
0x00402f79
0x00402f7c
0x00402f80
0x00402f83
0x00402f86
0x00402f88
0x00402f88
0x00402f8a
0x00402f8d
0x00402f90
0x00402f93
0x00402f94
0x00402f95
0x00402f96
0x00402f96
0x00402dd2
0x00402dd2
0x00402dd2
0x00402dd2
0x00402dd6
0x00402dd9
0x00402ddc
0x00402ddf
0x00402de0
0x00402de0
0x00402dad
0x00402dad
0x00402db1
0x00402db1
0x00402db4
0x00402db7
0x00402dba
0x00402de4
0x00402de7
0x00402dea
0x00402ded
0x00402df0
0x00402df1
0x00402dbc
0x00402dbc
0x00402dbf
0x00402dc0
0x00402dc0
0x00402dba
0x00402dab

APIs

Sleep.KERNEL32(00000000,?,00402D42), ref: 00402E2B
Sleep.KERNEL32(0000000A,00000000,?,00402D42), ref: 00402E41
Sleep.KERNEL32(00000000,?,?,?,00402D42), ref: 00402E6F
Sleep.KERNEL32(0000000A,00000000,?,?,?,00402D42), ref: 00402E85

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ae8cd937689ee7afcd12110fab3c7307ccaecc111bd93becf6e8e3e2feb82918
Instruction ID: 2b91ece78b6697a3650e8730b43f8f64fb0b4e3efcb201bb0438619514fcca4f
Opcode Fuzzy Hash: ae8cd937689ee7afcd12110fab3c7307ccaecc111bd93becf6e8e3e2feb82918
Instruction Fuzzy Hash: 5CC16B726052118FC715CF29DD8831ABBE0FB99310F1982BFD409AB3D5C7B89945DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407990, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407990(signed int __eax, void* __edx) {
				short _v530;
				short _v1052;
				short _v1056;
				short _v1058;
				signed int _t20;
				void* _t24;
				WCHAR* _t25;

				_t25 =  &_v1052;
				_t24 = __edx;
				_t20 = __eax;
				if(__eax != 0) {
					 *_t25 = (__eax & 0x000000ff) + 0x41 - 1;
					_v1058 = 0x3a;
					_v1056 = 0;
					GetCurrentDirectoryW(0x105,  &_v530);
					SetCurrentDirectoryW(_t25);
				}
				GetCurrentDirectoryW(0x105,  &_v1052);
				if(_t20 != 0) {
					SetCurrentDirectoryW( &_v530);
				}
				return E004070EC(_t24, 0x105,  &_v1052);
			}

0x00407992
0x00407998
0x0040799a
0x0040799e
0x004079a8
0x004079ac
0x004079b3
0x004079c7
0x004079cd
0x004079cd
0x004079dc
0x004079e3
0x004079ed
0x004079ed
0x00407a0a

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004079C7
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004079CD
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004079DC
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004079ED

Strings

:, xrefs: 004079AC

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d4c66a745f203e7e8c21688f8176adee662d14b5a991df33e74bb0ca638d7e43
Instruction ID: 9b08752bf4a0d4c1cab7531067f02d177f748723692e6be305835cd234e5aa5d
Opcode Fuzzy Hash: d4c66a745f203e7e8c21688f8176adee662d14b5a991df33e74bb0ca638d7e43
Instruction Fuzzy Hash: 7EF0F0B11496546AE310E3508C66AEB72DCEF84308F00843F76C8D72D1EABC8888976B

Uniqueness

Uniqueness Score: -1.00%

Function 004030F8, Relevance: 7.7, APIs: 6, Instructions: 196
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004030F8(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x597055; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00402AD8(__eax, _t89, __edi);
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								if(VirtualFree(_t103, 0, 0x8000) == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x599acc = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x5978dd;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0xc;
					 *_t14 =  *(__edx + 0xc) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 8);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0xc) = __eax;
						} else {
							__eax =  *(__edx + 0x14);
							__ecx =  *(__edx + 4);
							 *(__eax + 4) = __ecx;
							 *(__ecx + 0x14) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x10)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x10)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x597055; // 0x0
						L31:
						_t95 = _t89 & 0xfffffff0;
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x597a3c], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x5978dd;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x597a3c], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00402954(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00402954(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x597a44 - 0x13ffe0;
							if( *0x597a44 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E004029F4(_t67, _t95);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x597a44 = 0x13ffe0;
								 *0x597a40 = _t82;
								 *0x597a3c = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x597a3c = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00402994(_t106, _t88, _t81);
							 *0x597a3c = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 8) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 4);
							 *(__edx + 0x14) = __ebx;
							 *(__edx + 4) = __ecx;
							 *(__ecx + 0x14) = __edx;
							 *(__ebx + 4) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x004030f8
0x004030f8
0x00403101
0x00403107
0x004031f0
0x004031f3
0x004032e0
0x004032e1
0x004032e4
0x00402b84
0x00402b86
0x00402b88
0x00402b8d
0x00402b90
0x00402b95
0x00402b99
0x00402b9f
0x00402ba3
0x00402ba9
0x00402bc5
0x00402bc9
0x00402bcc
0x00402bcc
0x00402bce
0x00402bd6
0x00402be3
0x00402be8
0x00402bea
0x00402bec
0x00402bef
0x00402bef
0x00402bf1
0x00402bf5
0x00402bf7
0x00402bf9
0x00402bfb
0x00000000
0x00402bfb
0x00000000
0x00402bf7
0x00402bab
0x00402bba
0x00402bc0
0x00402bbc
0x00402bbc
0x00402bbc
0x00402bba
0x00402bff
0x00402c01
0x00402c0a
0x00402c13
0x00402c13
0x00402c16
0x00402c26
0x004032ea
0x004032ef
0x004032ef
0x00000000
0x00000000
0x00000000
0x0040310d
0x0040310d
0x0040310f
0x00403111
0x00403174
0x00403174
0x00403179
0x0040317d
0x00000000
0x00000000
0x0040317f
0x00403181
0x00403188
0x00000000
0x0040318a
0x0040318e
0x00403193
0x00403194
0x00403195
0x0040319a
0x0040319e
0x004031a8
0x004031ad
0x004031ae
0x00000000
0x004031ae
0x0040319e
0x00000000
0x00403188
0x00403174
0x00403113
0x00403113
0x00403113
0x00403113
0x00403117
0x0040311a
0x00403148
0x0040314a
0x0040315f
0x0040315f
0x0040314c
0x0040314c
0x0040314f
0x00403152
0x00403155
0x00403158
0x0040315a
0x0040315d
0x00000000
0x00000000
0x0040315d
0x00403162
0x00403164
0x00403166
0x00403169
0x004031f9
0x004031f9
0x004031fc
0x004031fe
0x00403200
0x00403201
0x00403203
0x004031b4
0x004031b4
0x004031b9
0x004031c1
0x00000000
0x00000000
0x004031c3
0x004031c5
0x004031cc
0x00000000
0x004031ce
0x004031d0
0x004031d5
0x004031da
0x004031e2
0x004031e6
0x00000000
0x004031e6
0x004031e2
0x00000000
0x004031cc
0x004031b4
0x00403205
0x00403205
0x0040320d
0x00403211
0x00403248
0x0040324b
0x0040324e
0x00403250
0x00403256
0x00403258
0x00403258
0x00403213
0x00403213
0x00403213
0x00403216
0x00403216
0x0040321a
0x0040321e
0x00403260
0x00403263
0x00403265
0x00403267
0x0040326d
0x00403271
0x00403271
0x0040326d
0x00403220
0x00403226
0x00403278
0x00403282
0x004032b0
0x004032b6
0x004032bb
0x004032c2
0x004032cc
0x004032d2
0x004032d9
0x004032dd
0x00403284
0x00403284
0x00403287
0x00403289
0x0040328c
0x0040328f
0x00403291
0x004032a0
0x004032a5
0x004032a8
0x004032ac
0x004032ac
0x00403228
0x0040322b
0x0040322e
0x00403236
0x0040323b
0x00403242
0x00403246
0x00403246
0x0040311c
0x0040311c
0x0040311e
0x00403124
0x00403127
0x00403130
0x00403133
0x00403136
0x00403139
0x0040313c
0x0040313f
0x00403142
0x00403142
0x00403144
0x00403145
0x00403129
0x00403129
0x00403129
0x0040312b
0x0040312d
0x0040312e
0x0040312e
0x00403127
0x0040311a

APIs

Sleep.KERNEL32(00000000,?,?,00000000,00402D6A), ref: 0040318E
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00402D6A), ref: 004031A8

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5db9835f6560081655e61194009fce58d8c22021f4403119ce588f8753019013
Instruction ID: b2771c77c9c6b17bed68a6e1990eacf53409727be73d94e38056d073bd9a43f5
Opcode Fuzzy Hash: 5db9835f6560081655e61194009fce58d8c22021f4403119ce588f8753019013
Instruction Fuzzy Hash: 7B6121712042008FD715CF29DA89B26BFE8AB99311F18C1BFE4489B3D2D6B8CA45DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEBC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DEBC() {
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t8;
				intOrPtr* _t11;
				struct HRSRC__* _t15;
				void* _t16;
				intOrPtr _t27;

				_t6 =  *0x599c40; // 0x400000
				_t15 = FindResourceW(_t6, L"CHARTABLE", 0xa);
				if(_t15 == 0) {
					E0041CFC8();
				}
				_t8 =  *0x599c40; // 0x400000
				_t16 = LoadResource(_t8, _t15);
				if(_t16 == 0) {
					E0041CFC8();
				}
				 *0x599c5c = LockResource(_t16);
				if( *0x599c5c == 0) {
					E0041CFC8();
				}
				_t11 =  *0x599c5c;
				_t27 =  *0x599c5c;
				 *0x599c60 = _t27 +  *_t11;
				 *0x599c64 = _t27 +  *((intOrPtr*)(_t11 + 4));
				 *0x599c68 = _t27 +  *((intOrPtr*)(_t11 + 8));
				 *0x599c6c = _t27 +  *((intOrPtr*)(_t11 + 0xc));
				 *0x599c70 = _t27 +  *((intOrPtr*)(_t11 + 0x10));
				 *0x599c74 = _t27 +  *((intOrPtr*)(_t11 + 0x14));
				return _t11;
			}

0x0040deca
0x0040ded5
0x0040ded9
0x0040dedb
0x0040dedb
0x0040dee1
0x0040deec
0x0040def0
0x0040def2
0x0040def2
0x0040defd
0x0040df02
0x0040df04
0x0040df04
0x0040df09
0x0040df0b
0x0040df11
0x0040df1c
0x0040df27
0x0040df32
0x0040df3d
0x0040df46
0x0040df4e

APIs

FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,0040DB98), ref: 0040DED0
LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040DB98), ref: 0040DEE7
LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040DB98), ref: 0040DEF8

Part of subcall function 0041CFC8: GetLastError.KERNEL32(0040DF09,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040DB98), ref: 0041CFC8

Strings

CHARTABLE, xrefs: 0040DEC5

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: Resource$ErrorFindLastLoadLock
String ID: CHARTABLE
API String ID: 1074440638-2668339182
Opcode ID: 1d06efd70541793e54a5303c4b49dfd1a62ac766b556ced0a3244d01ea424a25
Instruction ID: 9d36f626491fede3d8dbdac26b0b60484613aebdc44ea67df3681acba8c573e6
Opcode Fuzzy Hash: 1d06efd70541793e54a5303c4b49dfd1a62ac766b556ced0a3244d01ea424a25
Instruction Fuzzy Hash: 4E01A1B07402018FC708EF99DCD0D6937E9AB6831070A813FE102677D1CB388C05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040920C, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040920C(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* _t40;
				void* _t56;
				void* _t60;
				short* _t63;
				signed short _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				void* _t75;
				signed short _t82;
				void* _t84;

				_t84 = __edx;
				_t67 = __eax;
				_v16 = 0;
				if(__eax !=  *0x599b54()) {
					_v16 = E004091C8( &_v8);
					_t82 = _t67;
					_v20 = 3;
					_t63 =  &_v26;
					do {
						_t75 = (_t82 & 0xf) + 1;
						_t70 =  *0x58f9e4; // 0x408e68
						_t7 = _t75 - 1; // 0x32313000
						 *_t63 =  *(_t70 + _t7) & 0x000000ff;
						_t82 = (_t82 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t63 = _t63 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x599b50(4,  &_v32,  &_v20);
				}
				_t40 = E004091C8( &_v12);
				_t68 = _t40;
				if(_t68 != 0) {
					_t56 = _v12 - 2;
					if(_t56 >= 0) {
						_t60 = _t56 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t68 + _v20 * 2)) == 0) {
								 *((short*)(_t68 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t60 = _t60 - 1;
						} while (_t60 != 0);
					}
					E00407098(_t84, _t68);
					_t40 = E004042B8(_t68);
				}
				if(_v16 != 0) {
					 *0x599b50(0, 0,  &_v20);
					_t69 = E004091C8( &_v12);
					if(_v8 != _v12 || E004091A4(_v16, _v12, _t69) != 0) {
						 *0x599b50(8, _v16,  &_v20);
					}
					E004042B8(_t69);
					return E004042B8(_v16);
				}
				return _t40;
			}

0x00409214
0x00409216
0x0040921a
0x00409226
0x00409230
0x00409233
0x00409235
0x0040923c
0x0040923f
0x00409248
0x00409249
0x0040924f
0x00409254
0x0040925a
0x0040925d
0x00409260
0x00409263
0x00409269
0x0040926f
0x0040927f
0x0040927f
0x00409288
0x0040928d
0x00409291
0x00409296
0x0040929b
0x0040929d
0x0040929e
0x004092a5
0x004092ad
0x004092b2
0x004092b2
0x004092b8
0x004092bb
0x004092bb
0x004092a5
0x004092c2
0x004092c9
0x004092c9
0x004092d2
0x004092dc
0x004092ea
0x004092f2
0x0040930f
0x0040930f
0x00409317
0x00000000
0x0040931f
0x00409329

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040921D
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040927F
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 004092DC
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040930F

Part of subcall function 004091C8: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040928D), ref: 004091DF
Part of subcall function 004091C8: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040928D), ref: 004091FC

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 2b5289997c3f48a0a46013fabdc9d09d4ab086bd1008ef45c81fdbcc576f618c
Instruction ID: 0570b00836194379ff17fc3d01652a9f38f80928bd7490e1c9793cccc540ad7a
Opcode Fuzzy Hash: 2b5289997c3f48a0a46013fabdc9d09d4ab086bd1008ef45c81fdbcc576f618c
Instruction Fuzzy Hash: B8317070A0411AABDB10DFE9D884AEEB3B9FF44304F4045BAE914F72D2D7789E048B55

Uniqueness

Uniqueness Score: -1.00%

Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00405575(void* __ebx, void* __edi, void* __esi, void* __ebp, struct _EXCEPTION_POINTERS _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				struct _EXCEPTION_RECORD* _t22;
				intOrPtr* _t25;
				long _t28;
				long _t30;
				long _t31;
				long _t32;
				void* _t33;
				void* _t38;
				long _t41;
				intOrPtr* _t43;
				intOrPtr _t44;
				void* _t45;
				void* _t47;
				void* _t48;
				intOrPtr _t50;

				_t48 = __ebp;
				_t47 = __esi;
				_t45 = __edi;
				_t33 = __ebx;
				_t22 = _a4.ExceptionRecord;
				if((_t22->ExceptionFlags & 0x00000006) == 0) {
					_t41 = _t22->ExceptionInformation[1];
					_t38 = _t22->ExceptionInformation;
					if(_t22->ExceptionCode == 0xeedfade) {
						L11:
						if( *0x58f02c <= 1 ||  *0x58f028 > 0) {
							goto L14;
						}
						_t28 = UnhandledExceptionFilter( &_a4);
						_t38 = _t38;
						_t41 = _t41;
						_t22 = _t22;
						if(_t28 != 0) {
							goto L14;
						}
					} else {
						asm("cld");
						E00404ECC(_t22);
						_t43 =  *0x597010; // 0x41b1c8
						if(_t43 != 0) {
							_t30 =  *_t43();
							if(_t30 != 0) {
								_t44 = _a12;
								if(_a4.ExceptionRecord->ExceptionCode == 0xeefface) {
									L10:
									_t41 = _t30;
									_t22 = _a4.ExceptionRecord;
									_t38 = _t22->ExceptionAddress;
									goto L11;
								} else {
									_t30 = E00405674(_t30, _t44);
									if( *0x58f02c <= 0 ||  *0x58f028 > 0) {
										goto L10;
									} else {
										_t31 = UnhandledExceptionFilter( &_a4);
										_t32 = _t30;
										if(_t31 != 0) {
											_t41 = _t32;
											_t22 = _a4.ExceptionRecord;
											_t38 = _t22->ExceptionAddress;
											L14:
											_t22->ExceptionFlags = _t22->ExceptionFlags | 0x00000002;
											 *0x597018(_a8, 0x405834, _t22, 0, _t38, _t41, _t22,  *[fs:ebx], _t48, _t45, _t47, _t33);
											_t46 = _v8;
											_t25 = E0040ABA0();
											_push( *_t25);
											 *_t25 = _t50;
											 *((intOrPtr*)(_v8 + 4)) = E00405860;
											E004056C4(_t25,  *((intOrPtr*)(_t46 + 4)) + 5);
											goto __ebx;
										}
									}
								}
							}
						}
					}
				}
				return 1;
			}

0x00405575
0x00405575
0x00405575
0x00405575
0x0040575c
0x00405767
0x00405773
0x00405776
0x00405779
0x004057e9
0x004057f0
0x00000000
0x00000000
0x00405803
0x0040580b
0x0040580c
0x0040580d
0x0040580e
0x00000000
0x00000000
0x0040577b
0x0040577b
0x0040577c
0x00405781
0x00405789
0x0040578f
0x00405793
0x00405799
0x004057a7
0x004057e0
0x004057e0
0x004057e2
0x004057e6
0x00000000
0x004057a9
0x004057a9
0x004057b5
0x00000000
0x004057c0
0x004057c6
0x004057ce
0x004057cf
0x004057d5
0x004057d7
0x004057db
0x00405810
0x00405810
0x0040582e
0x00405834
0x00405838
0x0040583d
0x00405843
0x0040584f
0x00405859
0x0040585e
0x0040585e
0x004057cf
0x004057b5
0x004057a7
0x00405793
0x00405789
0x00405779
0x00405885

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 004057C6
UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 00405803

Strings

`X@, xrefs: 0040579D, 004057C0, 004057D7, 004057C5, 0040581E, 0040581F, 00405827

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: `X@
API String ID: 3192549508-3005777150
Opcode ID: 5e618ef0952255181e8688b1d0bc0c9ae61b9ace92acdbcaef862e63c412e83d
Instruction ID: fc333e51e5c20c33e420077cb39b0d1d1b69b0073ce168de8830d1b54fca43d1
Opcode Fuzzy Hash: 5e618ef0952255181e8688b1d0bc0c9ae61b9ace92acdbcaef862e63c412e83d
Instruction Fuzzy Hash: C6318F71604600EFD324EB10C888F27B7A9EB88714F54C97BE808A7291C638EC54DF69

Uniqueness

Uniqueness Score: -1.00%

Function 004060D8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004060D8() {
				intOrPtr* _t13;
				int _t22;
				void* _t42;
				intOrPtr _t53;
				intOrPtr _t56;
				void* _t57;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x58f004 != 0) {
					E00405FC0();
					E00406050(_t42);
					 *0x58f004 = 0;
				}
				if( *0x599b20 != 0 && GetCurrentThreadId() ==  *0x599b48) {
					E00405D5C(0x599b1c);
					E00406024(0x599b1c);
				}
				if( *0x00599B14 != 0 ||  *0x597050 == 0) {
					L9:
					if( *((char*)(0x599b14)) == 2 &&  *0x58f000 == 0) {
						 *0x00599AF8 = 0;
					}
					E00405D84();
					if( *((char*)(0x599b14)) <= 1 ||  *0x58f000 != 0) {
						_t47 =  *0x00599AFC;
						if( *0x00599AFC != 0) {
							E00409E04(_t47);
							_t56 =  *((intOrPtr*)(0x599afc));
							_t7 = _t56 + 0x10; // 0x400000
							_t53 =  *_t7;
							_t8 = _t56 + 4; // 0x400000
							if(_t53 !=  *_t8 && _t53 != 0) {
								_push(_t53);
								E0040253C();
							}
						}
					}
					E00405D5C(0x599aec);
					if( *((char*)(0x599b14)) == 1) {
						 *0x00599B10();
					}
					if( *((char*)(0x599b14)) != 0) {
						E00406024(0x599aec);
					}
					if( *0x599aec == 0) {
						if( *0x597030 != 0) {
							 *0x597030();
						}
						_t22 =  *0x58f000; // 0x0
						ExitProcess(_t22);
					}
					memcpy(0x599aec,  *0x599aec, 0xc << 2);
					_t57 = _t57 + 0xc;
				} else {
					do {
						 *0x597050 = 0;
						 *((intOrPtr*)( *0x597050))();
					} while ( *0x597050 != 0);
				}
			}

0x004060da
0x004060f5
0x004060f7
0x004060fc
0x00406103
0x00406103
0x0040610f
0x00406123
0x0040612d
0x0040612d
0x00406136
0x0040614c
0x00406150
0x0040615d
0x0040615d
0x00406160
0x00406169
0x00406174
0x00406179
0x0040617d
0x00406182
0x00406185
0x00406185
0x00406188
0x0040618b
0x00406191
0x00406192
0x00406192
0x0040618b
0x00406179
0x00406199
0x004061a2
0x004061a4
0x004061a4
0x004061ab
0x004061af
0x004061af
0x004061b7
0x004061c0
0x004061c2
0x004061c2
0x004061c8
0x004061ce
0x004061ce
0x004061de
0x004061de
0x00000000
0x0040613d
0x00406143
0x00406145
0x00406147
0x0040613d

APIs

GetCurrentThreadId.KERNEL32 ref: 00406111
ExitProcess.KERNEL32(00000000,?,?,?,?,?,00000001,004061F6,004043AB,004043F2), ref: 004061CE

Strings

@1A, xrefs: 004060E9

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: CurrentExitProcessThread
String ID: @1A
API String ID: 3829508566-1214063206
Opcode ID: e690d8551c987fb7330f81c24fdc6a621c4db959f3537f76e316c60dcf497cd0
Instruction ID: 85350be8c02cbf8fbf676353c5e113d38c980d78e6ecc47d03ac8fd955a26753
Opcode Fuzzy Hash: e690d8551c987fb7330f81c24fdc6a621c4db959f3537f76e316c60dcf497cd0
Instruction Fuzzy Hash: 973149709002508BDF21AF28C98835A3BE1AF59314F1A157BE806AF2D7D77C9CA4CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004060E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004060E0() {
				int _t19;
				void* _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				void* _t50;

				if( *0x58f004 != 0) {
					E00405FC0();
					E00406050(_t38);
					 *0x58f004 = 0;
				}
				if( *0x599b20 != 0 && GetCurrentThreadId() ==  *0x599b48) {
					E00405D5C(0x599b1c);
					E00406024(0x599b1c);
				}
				if( *0x00599B14 != 0 ||  *0x597050 == 0) {
					L8:
					if( *((char*)(0x599b14)) == 2 &&  *0x58f000 == 0) {
						 *0x00599AF8 = 0;
					}
					E00405D84();
					if( *((char*)(0x599b14)) <= 1 ||  *0x58f000 != 0) {
						_t42 =  *0x00599AFC;
						if( *0x00599AFC != 0) {
							E00409E04(_t42);
							_t49 =  *((intOrPtr*)(0x599afc));
							_t7 = _t49 + 0x10; // 0x400000
							_t47 =  *_t7;
							_t8 = _t49 + 4; // 0x400000
							if(_t47 !=  *_t8 && _t47 != 0) {
								_push(_t47);
								E0040253C();
							}
						}
					}
					E00405D5C(0x599aec);
					if( *((char*)(0x599b14)) == 1) {
						 *0x00599B10();
					}
					if( *((char*)(0x599b14)) != 0) {
						E00406024(0x599aec);
					}
					if( *0x599aec == 0) {
						if( *0x597030 != 0) {
							 *0x597030();
						}
						_t19 =  *0x58f000; // 0x0
						ExitProcess(_t19);
					}
					memcpy(0x599aec,  *0x599aec, 0xc << 2);
					_t50 = _t50 + 0xc;
				} else {
					do {
						 *0x597050 = 0;
						 *((intOrPtr*)( *0x597050))();
					} while ( *0x597050 != 0);
				}
			}

0x004060f5
0x004060f7
0x004060fc
0x00406103
0x00406103
0x0040610f
0x00406123
0x0040612d
0x0040612d
0x00406136
0x0040614c
0x00406150
0x0040615d
0x0040615d
0x00406160
0x00406169
0x00406174
0x00406179
0x0040617d
0x00406182
0x00406185
0x00406185
0x00406188
0x0040618b
0x00406191
0x00406192
0x00406192
0x0040618b
0x00406179
0x00406199
0x004061a2
0x004061a4
0x004061a4
0x004061ab
0x004061af
0x004061af
0x004061b7
0x004061c0
0x004061c2
0x004061c2
0x004061c8
0x004061ce
0x004061ce
0x004061de
0x004061de
0x00000000
0x0040613d
0x00406143
0x00406145
0x00406147
0x0040613d

APIs

GetCurrentThreadId.KERNEL32 ref: 00406111
ExitProcess.KERNEL32(00000000,?,?,?,?,?,00000001,004061F6,004043AB,004043F2), ref: 004061CE

Strings

@1A, xrefs: 004060E9

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: CurrentExitProcessThread
String ID: @1A
API String ID: 3829508566-1214063206
Opcode ID: 05edc5ab78ca9fda08ff7b3f4b9c7b893f4ce631566548ad5b810fef346ca9ba
Instruction ID: 210f615b19aded16495c916c48c9a8a76cca6e09c78987f102b16efb96521389
Opcode Fuzzy Hash: 05edc5ab78ca9fda08ff7b3f4b9c7b893f4ce631566548ad5b810fef346ca9ba
Instruction Fuzzy Hash: CB3148709002108BDF21AF28C98835A3AE1AB59314F26117BE806AB3D7D77C9CA4CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3C4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D3C4() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				intOrPtr _t3;
				void* _t4;
				void* _t5;

				if( *0x599c50 == 0) {
					_t1 = GetModuleHandleW(L"comctl32.dll");
					 *0x599c50 = _t1;
					if( *0x599c50 != 0) {
						_t2 =  *0x599c50; // 0x0
						_t3 = E0040BFDC(_t4, _t5, _t2, L"InitCommonControlsEx");
						 *0x599c54 = _t3;
						return _t3;
					}
				}
				return _t1;
			}

0x0040d3cb
0x0040d3d2
0x0040d3d7
0x0040d3e3
0x0040d3ea
0x0040d3f0
0x0040d3f5
0x00000000
0x0040d3f5
0x0040d3e3
0x0040d3fa

APIs

GetModuleHandleW.KERNEL32(comctl32.dll), ref: 0040D3D2

Part of subcall function 0040BFDC: GetProcAddress.KERNEL32(?,?), ref: 0040C000

Strings

InitCommonControlsEx, xrefs: 0040D3E5
comctl32.dll, xrefs: 0040D3CD

Memory Dump Source

Source File: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.613391847.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.614773543.000000000058F000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614825410.000000000059B000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614860780.00000000005A4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614946395.00000000005D4000.00000040.00020000.sdmp Download File
Associated: 00000015.00000002.614984460.00000000005D8000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_spmm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: InitCommonControlsEx$comctl32.dll
API String ID: 1646373207-802336580
Opcode ID: 25957a84829b5305ec3255008f6c8bab8805dda5405b49a979b873709a666179
Instruction ID: 500215833ebce75ff3a24bc3e221b03df10b4e4fafe717fda251457bbda1a334
Opcode Fuzzy Hash: 25957a84829b5305ec3255008f6c8bab8805dda5405b49a979b873709a666179
Instruction Fuzzy Hash: EED042609482499AC706DBA89C097153390F325305F01053FA409A66E4CB78084CEB5A

Uniqueness

Uniqueness Score: -1.00%

Function 02700E21, Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$uC
API String ID: 0-3092754440
Opcode ID: acfed93ec5574ae33dee1d8f64d3fd247ac3c335734432e26cd31df2832d3d0d
Instruction ID: 1ec8271546d657279069ed4ffd2eb8a08697d8ac2bf1c26352d546b67580ecb8
Opcode Fuzzy Hash: acfed93ec5574ae33dee1d8f64d3fd247ac3c335734432e26cd31df2832d3d0d
Instruction Fuzzy Hash: 9351783354C215DB8304D92CDC846FA77D1EA85230759873FE856BB2C5E721A60EC2C5

Uniqueness

Uniqueness Score: -1.00%

Function 02700E56, Relevance: 5.1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

Strings

_I, xrefs: 02700EA5
uC, xrefs: 02700F15
6tB, xrefs: 02700FA8
.J, xrefs: 02700E86

Memory Dump Source

Source File: 00000015.00000003.353499038.0000000002700000.00000004.00000001.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_3_2700000_spmm.jbxd

Similarity

API ID:
String ID: .J$6tB$_I$uC
API String ID: 0-3092754440
Opcode ID: 724d15bb0ce42587fd366527ec4f392f28fa64cfeeb117a0add6eab627c2726d
Instruction ID: 97a96a352002596d92c57bae9007c41a243e9840393c4ea35a143ebc9c9eca1a
Opcode Fuzzy Hash: 724d15bb0ce42587fd366527ec4f392f28fa64cfeeb117a0add6eab627c2726d
Instruction Fuzzy Hash: 8B417B3394C215CB8308D92CDC906FAB7C1EB86230759473BE856B72D5E725B60DC2C5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sfk_setup.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 004110C4, Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 160
libraryloaderCOMMON

Function 00405DE8, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207
registrystringlibraryCOMMON

Function 00405F23, Relevance: 15.1, APIs: 10, Instructions: 108
stringlibrarythreadCOMMON

Function 00406458, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00411C96, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103
COMMON

Function 00401C7C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Function 00411C7F, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Function 0040EB50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 00411648, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Function 004018F8, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Function 0040ED40, Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Function 0040E414, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Function 004068EC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Function 0040E5DC, Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Function 00404580, Relevance: 4.6, APIs: 3, Instructions: 92
threadCOMMON

Function 00404578, Relevance: 4.6, APIs: 3, Instructions: 87
threadCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre